Hackers are passing around a vast database of 2.2 billion unique names and passwords skimmed from some of the biggest data breaches like Dropbox and LinkedIn. Collection #1 and #2-5 have been uncovered by several security researchers.
https://twitter.com/shyftnetwork/status/1090993613574729728
Experts Comments below:
Ryan Wilk, VP of Customer Success at NuData Security:
“This latest dump of names and passwords reveals the enormity of the exposure of personal information worldwide and how cheap or free personal information has become as hackers try to race to squeeze the last value out of it. New technologies that don’t rely on passwords, like behavioral analytics and passive biometrics, are thwarting fraudsters who are increasingly failing at their account takeover attempts. These new authentication platforms are devaluing this type of personal information removing stolen credentials from the equation.”
Anthony James, Chief Strategy Officer at CipherCloud:
“The cyberwar over your data privacy has pretty much been declared and we’re taking very heavy fire. There are now over 2.2 billion unique passwords and credentials offered For Free on the dark web. This is rumored to be supplemented by another collection of authentication data, which may total 25 billion records. So much has been stolen and breached that the cyberthieves are obviously trading these massive databases among themselves. What can you do? Use a unique password for each account and change them on a regular basis, favor vendors that provide 2-factor authentication, (2FA), and to the greatest extent practical ,encrypt all of your data.”
Frederik Mennes, Senior Manager Market & Security Strategy at OneSpan:
2.2 billion unique records is a staggering number. We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilised whenever and wherever possible. Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance. Technology is evolving, and next-generation authentication, intelligent adaptive authentication, is gaining momentum. This technology utilises AI and machine learning to score vast amounts of data, and based on patterns, analyses the risk of a situation and adapts the security and required authentication accordingly.
Steven Murdoch, Chief Security Architect at OneSpan:
This password leak shows that large quantities of stolen passwords are readily available to anyone, regardless of how low their budget. However, data from recent breaches will be considerably more expensive to obtain.
Companies should recognise the limitations of password authentication and are in the best position to mitigate the weaknesses. They should implement additional measures, such as detection of suspicious behaviour. Two-factor authentication, or even better, FIDO/U2F, should be offered to customers. Customers can also help by not re-using passwords across multiple sites and using a password manager if needed. The website https://twofactorauth.org gives instructions on how to enable two-factor authentication on many popular sites, as enabling 2FA, and preferably FIDO/U2F, will significantly help to improve their security.
Tom Garrubba, Sr. Director at Shared Assessments:
This is indeed a massive amount of records, and we don’t know all of the sources of these breached records, the importance of a healthy third party risk management program that includes continuous monitoring and effective threat management over your organization’s data becomes even more crucial than ever. All data connection points need to be understood, reviewed, assessed, and continuously monitored in alignment with the outsourcing organization’s risk posture to ensure that both the they as the outsourcer and their full network of service providers and other third parties with whom they share data are all fulfilling their security and privacy expectations laid out in their contracts.
For those individuals who have not yet locked down there credit history and files, it’s worth considering. Basic steps to do this are at:
https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place
Frederik Mennes, Senior Manager Market & Security Strategy at Security Competence Center OneSpan:
2.2 billion records is a staggering number. We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilized whenever and wherever possible.
MFA combines at least two out of three of the following technologies: something you know (such as a PIN), something you have (such as an authentication app on the smartphone) or something you are (such as a fingerprint or facial recognition). The passwords that are generated only last for a limited period of time, which makes it useless for hackers to intercept and reuse them.
Technology is evolving. Next-generation authentication, intelligent adaptive authentication, is gaining momentum. This technology ensures the precise level of security for each level of interaction with the best possible experience for the user. Adaptive authentication utilizes AI and machine learning to score vast amounts of data. Based on patterns, it analyses the risk of a situation and adapts the security and required authentication accordingly.
Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance. Applying multi-factor authentication may stop an attacker as the attacker might go after only users that have not enabled stronger authentication.
Oliver Muenchow, Security Evangelist at Lucy Security:
“There are billions of records out there accessible to anyone who looks. We’ve seen the data from collection one…in fact, anyone can put those old records in a zip and give them a label like collection 1, collection 2, or 3.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.