2.2 Billion. It’s a staggering number. It also happens to be the number of usernames and associated passwords cobbled together and being freely distributed on hacker forums and torrents in the biggest aggregation of leaked credentials ever. As WIRED writer Andy Greenberg appropriately mused, the dump is like “throwing out the private data of a significant fraction of humanity like last year’s phone book.” So, this megaleak happened. What steps do you take to protect your organization?
Let’s start by examining how this megaleak happened. The 2.2 billion records were gathered together from various mega breaches suffered by a host of companies such as Yahoo, LinkedIn, Dropbox, and many others. The breaches are not new. What is new is that the data is now so easily accessible.
The enormous dataset was broken into five collections and freely published. As you read this, security researchers and hackers alike are combing through the data for information they can either learn from or exploit. There is a good chance your organization’s information is on it.
So what steps can you take to make sure this doesn’t adversely impact your organization?
Do Not Reuse Passwords: We cannot stress this enough. This is the most significant example ever of why password reuse is hazardous to any online account. If account credentials are leaked online, they are vulnerable anywhere else those credentials are used. As an example, if your email and password to your Yahoo account are the same as the email and password to your online banking, then when your username and password is leaked by Yahoo, gaining access to your banking account is then trivial. So, let’s fix this. If you have a password you’re using in multiple locations, change that password immediately. Do it! Now!
You should implement a password policy within your organization. This policy should include banning password reuse as a main factor and not just password reuse but also password recycling. Password recycling is rather common. People will cycle through a set of reused passwords. They often due this when organizations force them to change passwords. Instead of finding a new, robust password, they return to a password they’ve used in the past. This, of course, leads us to the same problem as password reuse. Ensure, or make it mandatory, that your team is using robust, original passwords they have neither used elsewhere nor recycled. A strong password that is changed infrequently is way more secure than a weak or reused password changed frequently. Therefore, a password policy shouldn’t necessarily mandate regular password changes but instead strong passwords that have not been reused or recycled.
Use Two-Factor Authentication: If you’ve ever watched a doomsday movie where a country is readying itself to launch a nuclear weapon, there is usually that moment where two (traditionally men) stand next to each other with keys in their hands. Only when both turn their keys on their respective locks will a missile be launched. This is two-factor authentication (2FA). You are forcing an extra layer of protection on your account. There are three types of authentication:
Something You Know: This is a password or the answers to “secret questions” you are asked to provide to enter your account.
Something You Have: This is a device, traditionally your cellphone, or more increasingly a Yubikey.
Something You Are: This is biometric authentication such as a fingerprint, face id, or voice recognition.
As an organization, your policy MUST include 2FA. You should ensure you enforce 2FA as broadly as possible. This will help reduce the chance that an attacker could gain access to your systems because someone used their company email and password on another website that has been or will be compromised. If you are not using 2FA, then you are making yourself extremely vulnerable in unnecessary and very dangerous ways.
A typical second factor on any account is a code that is sent to an account owner’s cellphone. In theory, this code should only be read by the owner of the account. When the owner attempts to log into an account, a new code is generated and sent to the account owner’s phone. Only by entering this code can the owner log into a website. A Yubikey, meanwhile, is similar in that only when this key is entered into a device can that device log into an online account.
With two-factor authentication, you are building barriers around your online account. A strong password is your castle walls. Two-factor authentication is the moat around these walls and the fire-breathing dragon standing sentry. When it comes to your online accounts, and the exorbitant trove of valuable information stored in these accounts, do you want the fire-breathing dragon, or not? I think you want the fire-breathing dragon.
Use Unique Usernames, if Available: Additionally, employing unique usernames could be a helpful practice. Many accounts still force users to use their email as their username. Although if an account allows you to use a unique username, you should consider taking advantage of that option. Especially when it comes to very sensitive accounts such as your online banking.
Use Strong Passwords: Although the impact of this megaleak is still being identified, we think one of the effects will be an increasing danger in using weak passwords. What has just been created is an enormous data set that machine learning tools can now comb through. What this represents is well-organized data algorithms can use to become better “password crackers.” This means using even similar passwords to one that others use will become increasingly hazardous. Dictionary words such as “password” and “football” have always been a big red flag; now any password that is used similarly by someone else will become a vulnerability. In this way, strong, unique, and complex passwords are now a necessity.
As an organization, you must make it mandatory that users implement strong passwords. What do these passwords look like? They are long (like over eight characters) and have a unique combination of letters, numbers, and characters. Yes, it means that recalling these passwords will become more difficult, that is why you and your organization should consider….
Investing in a Password Manager: A password manager puts all of your passwords into a vault which only you can access. It will help you not have to recall the countless passwords the internet now forces you to recall (because we know what password reuse causes…headaches, nothing but headaches and heartbreaks). It will also help you and your team members avoid storing your passwords in areas such as your desk drawer, on a sticky note under your keyboard, and in other unsecure places. But, you may ask…is keeping all of my passwords in one place really safe? Yes. If you’re careful.
First, do your research, and choose a password manager that has a solid reputation and a strong history. Reach out to us, if you would like some advice. We are happy to help walk you through the important process of migration to a password manager. Secondly, use a VERY strong password for your password manager. This is the one password you are going to remember, so make it a good one. This is your key to the kingdom, the bank vault, and your personal identity, so make it strong, don’t share it with anyone, and hold on to it like the Hamburgler does a slab of beef. Finally, make sure your password manager, and all your accounts, utilize two-factor authentication.
Keep Learning: Make cybersecurity a part of your daily feed and the feeds of your team. Ensure you are keeping up to date on the latest breaches, cyberattack methods, and vulnerabilities. Whether it’s newsletters, podcasts, or following influencers, there are plenty of wonderful ways to keep your ear to the ground when it comes to information security.
This megaleak is intense. 2.2 billion credentials is an astounding number. However, if you are willing to enact some changes and take some steps to make yourself and your organization safer, this, in the end, could be a good thing.
Start using stronger passwords, never reuse passwords, consider investing in a password manager, ALWAYS enable two-factor authentication, and be diligent about staying informed around information security. If you make these changes, you and your organization are going to be more secure from these unfortunate and progressively worsening megabreaches and megaleaks.