Industry Reaction: PayAsUGym Hacked

Following the news that PayAsUGym, a fitness website, has confirmed that 300,000 email addresses and passwords were accessed on Thursday last week, the company reported that one of its servers were hacked. Hacker 1×0123 took to Twitter on Friday, posting screenshots of the hacked database.  IT security experts from Digital Guardian, WhiteHat Security, Barracuda Networks and Lieberman Software commented below.

Luke Brown, VP and GM EMEA, India and LatAm at Digital Guardian:

“It’s easy to think that breaches from consumer sites like PayAsUGym do not affect businesses, but it’s certainly possible that some customers have used their business email address to sign up to these services. Using the compromised login details, hackers can attempt to hijack the email accounts, steal more data, and target the victims’ friends, family and place of work in advanced social engineering attacks. This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information.”

Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:

“Companies should be forcing users to practice good security habits, as it’s the only way people will create and keep secure passwords. You see this today with tighter password policies. Needing at least one lowercase, one upper case, one number and one special character is great, but we should also be forced to change our passwords on a regular basis. That way, if a person’s password is compromised and they use it on multiple sites, they will soon be asked to update it, thereby lessening the window of exposure. We now also have two factor authentication that texts, emails or calls you to prove your identity. These are all controls to force users to have better password habits and therefore protect themselves from cybercrime. It’s difficult to make the average user accountable when the websites they are using can easily enforce tighter security controls, and should.”

Wieland Alge, VP & GM EMEA at Barracuda Networks:

“The server breach at PayAsUGym highlights that not enough is being done to get the correct security procedures and systems in place. Businesses of all sizes, in all industries have a duty of care to ensure that they have robust security systems in place to protect their own and their customers’ data. Although the attackers were not able to get their hands on payment card or personal information, simply gaining access to email addresses and passwords can lead to serious problems for customers. The fact is that most consumers re-use their passwords and so the attackers will try to use the compromised details to access other accounts. This breach also leaked enough details to leave customers open to targeted phishing attacks.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

“Today’s cybersecurity reality is that the time to change your password is always right now. The number and rate of breaches are both increasing. Any password that has existed for more than a few hours is an increased risk. Automation is your best weapon. The world’s most advanced organizations have known this for a long time and have been automating their own password changes on the systems they manage. There are consumer level solutions that allow everyday users to do the same. These passwords managers let you easily maintain unique, complex passwords for every online service you use – which is key to protecting yourself today, and these services will also change these passwords for you regularly to ensure even each service password stays fresh and uncompromised. Doing this work on your own is cumbersome and error prone. Most fall into the terrible habit of having the same password across many sites, which makes the bad guys’ work so much easier. They attack the weakest site and end up with passwords for perhaps your most valuable data since the password is the same.”

Could these attacks be connected, perhaps linked to the Yahoo breached?

“There’s no direct evidence of a link to the Yahoo breach, but it certainly wouldn’t be unusual. Bad guys know laziness drives people to use the same username and password combination over many sites. When they get a treasure trove like the one from Yahoo, one of the first things the criminals will do is try to use those passwords to log in to other services. This could also be due diligence on the part of the other sites. Maybe their security staff simply understands the realities well enough that they decided to ask for the user action just in case the shockwaves from Yahoo may be heading for their services as well.

Once big blobs of data like this are breached, they end up in many places. They hit black markets. They are passed around in dark corners of the Internet where bad guy experts brag to each other about their skills.”

Is there a way that people can find all the accounts their email or password is registered to?

“If you are using a password manager, either an online service like LastPass or something like Chrome’s built in password management, then finding where you have all the accounts is easy. If you’re doing it all in your head, then it’s as easy as it is for you to remember large volumes of data you didn’t think was that important when you first dealt with it.”