In response to the Tumbler and Myspace breach news, security experts from InfoArmor, Lastline and Balabit commented below.
Andrew Komarov, Chief Intelligence Officer, InfoArmor:
We have access to the stolen information, and can confirm that Tumblr’s database is hashed, using its own algorithm, and all the passwords with salt. That’s why without it – it is impossible to decrypt it. To do so would be long-term brute forcing of an unknown hash type with no salt. Previously, some cybercriminals claimed to name it the “Dropbox” database, but it was not confirmed, and it created some confusion in the security community
Craig Kensek, Security Expert, Lastline:
The lessons from these most recent hacks are the same as those for many of the others. In this case, the number of passwords stolen is huge. The organizations themselves need to invest in newer technologies to protect against the increasing complexity of attacks.It’s good that they salted the passwords. That wasn’t enough. Multi-factor authentication will make it much more difficult for any stolen passwords to be used. For individuals, the advice is: don’t ever use the same passwords across multiple accounts, do change them on a regular basis, and definitely consider licensing a password manager Just a little bit of paranoia can go a long way in protecting your passwords and your identity.
István Szabó, PhD, Product Manager, syslog-ng, Balabit:
“Passwords are the most traditional way of protecting accounts. These breaches show the inherent weakness of over-relying on passwords as the only means of protecting accounts and sensitive information. Anyone who has the credentials will be granted access if ever the credentials used are stolen from the legitimate user.
“Organisations need to think about deploying additional tools that can substantially increase information security without further constraining the business and hindering legitimate users. Monitoring activities and using user behavior analytics on the collected data set, and especially monitoring the activities of privileged users whose accounts enable access to very critical information, is a promising new approach. User behavior analytics can help detect, alert and block access an organization’s date automatically, if an attacker attempts to use the stolen credentials.”