Talking about password breaches ends up sounding a lot like talking about a burglary. The hackers (thieves) get in, get your stuff, and make off with it to sell it (fence) on the black market. After we make a flurry of password changes we move on. “It is quite a feat not to have had an email address or other personal information breached over the past decade,” Jake Moore, a cybersecurity expert at ESET UK, recently told The Guardian.
But while we’re returning to our busy lives, we’re forgetting that hackers are patient. Collection #1, reportedly the largest combination of breached password data ever posted to a hacking site illustrates that patience very clearly.
"Hackers offered 770M unique password/emails. How to protect yourself and your company from immediate breaches + social engineering attempts."
Hacker patience means that hacking is rarely a one-and-done invasion of your privacy. They’re piecing together data from larger and smaller hacks to put together as much of your digital identity as possible.
The lone hacker in a hoodie is actually a hacker working on concert with a range of other hackers — sharing, buying and selling data that can be fed into automated attacks that would only be worthwhile with large data sets.
Troy Hunt, who runs Have I Been Pwned lays out the details:
- 2,692,818,238 rows of information
- 1,160,253,228 unique combinations of email addresses and passwords
- 772,904,991 unique email addresses
Based on identifying past personal email/password combinations, Hunt was able to state that the collection includes passwords that had been stored using cryptographic hashing, but have been cracked. Hunt recommends storing passwords in a vault like 1Password for security and ease.
Password managers are one of the few security constructs that actually make your life easier. Take logging onto a mobile app with @1Password on iOS: tap the email field, choose the account, Face ID, login button, job done! Not a single character typed 😎 pic.twitter.com/6ZKcGHfHhq— Troy Hunt (@troyhunt) January 13, 2019
As an individual, Hunt’s advice about switching to a password manager is echoed by Auth0’s CISO/VP of Operations Joan Pepin. “If you use the same key to secure every building on that block, when someone gets that key, the whole block is owned. And the compromise of one of those accounts equals the compromise of all the accounts. I have added over a thousand account passwords in my 1Password in six years. Mathematically, if each of them needs a new password, what else could I possibly do?”
Passwords are leaked all the time, multi-factor authentication (MFA) provides another layer of protection. Methods of MFA include using hardware and device-based authenticators.
For companies looking to protect their users and servers from credential stuffing, a type of brute force attack, MFA and breached password detection, offered through Auth0, can help ward off the attack.
"To a hacker, your digital identity is a like a jigsaw puzzle s/he has lots of time to solve. Tips on how to beat hacker patience from @CloudCISO_Joan and Security Operations Manager @Annyv2."
All of these suggested changes will provide additional layers of protection, but with all that data out there hackers may have also acquired personal information about your habits — like where you like to travel, eat, your personal priorities. This increases the likelihood that you could be a target for social phishing attacks, where the hacker uses personal information to get you to give over credentials that can allow them to control of your devices and/or access your accounts. Both individuals and companies have proven vulnerable to such attacks, which are expected to see an AI-boost in 2019. Auth0 Security Operations Manager Annabel Villarroel offers some additional protective strategies against social engineering.
If you’d like to learn more about how Auth0 can help protect your organization, reach out to email@example.com.
Auth0, the identity platform for application builders, provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.