Following the news that PayAsUGym, a fitness website, has confirmed that 300,000 email addresses and passwords were accessed on Thursday last week, the company reported that one of its servers were hacked. Hacker 1×0123 took to Twitter on Friday, posting screenshots of the hacked database. IT security experts from Digital Guardian, WhiteHat Security, Barracuda Networks and Lieberman Software commented below.
Luke Brown, VP and GM EMEA, India and LatAm at Digital Guardian:
“It’s easy to think that breaches from consumer sites like PayAsUGym do not affect businesses, but it’s certainly possible that some customers have used their business email address to sign up to these services. Using the compromised login details, hackers can attempt to hijack the email accounts, steal more data, and target the victims’ friends, family and place of work in advanced social engineering attacks. This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information.”
“Companies should be forcing users to practice good security habits, as it’s the only way people will create and keep secure passwords. You see this today with tighter password policies. Needing at least one lowercase, one upper case, one number and one special character is great, but we should also be forced to change our passwords on a regular basis. That way, if a person’s password is compromised and they use it on multiple sites, they will soon be asked to update it, thereby lessening the window of exposure. We now also have two factor authentication that texts, emails or calls you to prove your identity. These are all controls to force users to have better password habits and therefore protect themselves from cybercrime. It’s difficult to make the average user accountable when the websites they are using can easily enforce tighter security controls, and should.”
“The server breach at PayAsUGym highlights that not enough is being done to get the correct security procedures and systems in place. Businesses of all sizes, in all industries have a duty of care to ensure that they have robust security systems in place to protect their own and their customers’ data. Although the attackers were not able to get their hands on payment card or personal information, simply gaining access to email addresses and passwords can lead to serious problems for customers. The fact is that most consumers re-use their passwords and so the attackers will try to use the compromised details to access other accounts. This breach also leaked enough details to leave customers open to targeted phishing attacks.”
“Today’s cybersecurity reality is that the time to change your password is always right now. The number and rate of breaches are both increasing. Any password that has existed for more than a few hours is an increased risk. Automation is your best weapon. The world’s most advanced organizations have known this for a long time and have been automating their own password changes on the systems they manage. There are consumer level solutions that allow everyday users to do the same. These passwords managers let you easily maintain unique, complex passwords for every online service you use – which is key to protecting yourself today, and these services will also change these passwords for you regularly to ensure even each service password stays fresh and uncompromised. Doing this work on your own is cumbersome and error prone. Most fall into the terrible habit of having the same password across many sites, which makes the bad guys’ work so much easier. They attack the weakest site and end up with passwords for perhaps your most valuable data since the password is the same.”
Could these attacks be connected, perhaps linked to the Yahoo breached?
“There’s no direct evidence of a link to the Yahoo breach, but it certainly wouldn’t be unusual. Bad guys know laziness drives people to use the same username and password combination over many sites. When they get a treasure trove like the one from Yahoo, one of the first things the criminals will do is try to use those passwords to log in to other services. This could also be due diligence on the part of the other sites. Maybe their security staff simply understands the realities well enough that they decided to ask for the user action just in case the shockwaves from Yahoo may be heading for their services as well.
Once big blobs of data like this are breached, they end up in many places. They hit black markets. They are passed around in dark corners of the Internet where bad guy experts brag to each other about their skills.”
Is there a way that people can find all the accounts their email or password is registered to?
“If you are using a password manager, either an online service like LastPass or something like Chrome’s built in password management, then finding where you have all the accounts is easy. If you’re doing it all in your head, then it’s as easy as it is for you to remember large volumes of data you didn’t think was that important when you first dealt with it.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.