While the Collection 1 data dump – a whopping 773 million unique emails – dazzled with its size, it also underscored the need to shift away from reliance on passwords and renewed calls for investments in more up-to-date and reliable security.
“The sheer size and almost certain impacts of “Collection 1” are historic, but unfortunately not surprising,” said Uniken CEO Bimal Gandhi, who noted that Albert Einstein’s wisdom, “the definition of insanity is doing the same thing over and over again, but expecting different results” applies to the security landscape.
“The continued reliance on outdated security methods such as using PII in authentication certainly fits that definition, given the proliferation of stolen and leaked PII now available on the dark web,” said Gandhi. “These 700+ million email addresses and millions of passwords – many unhashed – will inevitably be used in credential stuffing attacks that greatly harm both consumers and the financial/merchant/payments ecosystem for years to come.”
Adam Brown, manager of security solutions at Synopsis, recounted his own alarm after Security Researcher Troy Hunt revealed the Collection 1 breach. “I first saw this in the small hours and knowing what I know about security and how information is used in credential stuffing attacks I was unable to sleep until I’d checked my own credentials,” said Brown, who tapped into Hunt’s havibeenpwned.com site.
As vast as it is, the Collection 1 dataset is a microcosm of a larger sea of exposed data.
“As shocking as all this news may sound, these types of dumps are far more regular than most people would think. However, many so-called “new” dumps often contain old data seen in previous breaches so even though the numbers sound scary often the volume of actual new data is significantly lower,” said CEO of Authlogics, Steven Hope, CEO of Authlogics, whose analysts have found subsequent “new” data dumps, dubbed Collections #-#5, that total more than 784 GB, or nine times that data found in Collection #1.
“'New’ is also a matter of perspective as it depends on the age of the other data you are comparing it to, however we will know more about these new Collection dumps in due course,” said Hope.
What sets Collection 1 apart from other notable dumps is that the data came from a multitude of breaches and sources.
“Unlike previous high profile-data dumps, where the data all comes from one compromised party, this appears to be a carefully curated collection of dumps from a large collection of compromises,” said Nick Murison, managing consultant at Synopsis. “A brief skim of the alleged sources suggest that these are smaller online entities that likely have not spent much time or resources on security. Some of them may not even be aware that they have been compromised some time ago, and that the data may originate from years earlier.”
Credentials remain a valuable asset for hackers – the ROI for miscreants is lucrative and they aren’t likely to stop nicking them anytime soon.
“Cyberattackers long ago discovered that the easiest way to gain access to sensitive data is by compromising an end user’s identity and credentials,” said Centrify Vice President of Product Marketing Andy Smith, who cited a Forrester study that found that 80 percent of data breaches involve the use of privileged account access, which essentially give would-be attackers all access and provides “a perfect camouflage for their data exfiltration efforts.”
For years, said Joseph Carson, chief security scientist at Thycotic, “cybercriminals and hackers have been correlating each major data breach dump of email addresses and passwords so they can abuse to gain access into employees accounts to steal sensitive data, conduct financial fraud or blackmail into further access. Some of these are hidden in the dark net or shared directly between cybercriminals.”
Carson suggested users“choose a password manager to make creating or generating a new password easier.”
His colleague, Terence Jackson, CISO at Thycotic, agreed, noting “Many people still use the same passwords across sites for personal and business purposes because it’s convenient until something like this happens and it’s back in the headlines.”
While “using unique passwords on each site isn’t a magic bullet, but the goal here is to limit the damage that could be done in a credential stuffing or brute force type attack,”Jackson said, “As a CISO, this type of attack would concern me because employees often use their corporate emails to sign up for services and often use the same passwords.”
Brown took issue with the NIST (National Institute of Standards and Technoloy) standard, which “now discourages routine password changing” which he said “could mean that stolen credentials potentially remain ‘live’ longer than previously could have been expected.” But Brown said that very same standard “does prescribe the use of threat intelligence and automation to alert users of credential breaches or ‘pwnage’, such as Troy’s site. My advice: check your own credentials and do it now!”
The size and reach of Collection 1 should bring home to enterprises how important it is “to invest in security as part of their software development,” said Murison. “This includes both establishing activities such as threat modelling early in development and penetration testing as part of ongoing operational activities, as well as investing in tools and automation to ensure security defects are discovered as part of regular development and testing phases.”
He cautioned that “with data protection laws becoming increasingly strict (e.g. GDPR), there is no excuse for a company not to be thinking about the risk of data breaches in 2019. This goes for companies developing their own systems as well as companies that decide to outsource development; you cannot outsource the responsibility you have to safeguard your customers’ data.”
The same tried mitigation basics hold true for both organizations and individuals, said Bill Evans, a vice president at One Identity. Use multifactor authentication, better manage privileged access, improve governance and educate employees.
“You must stay abreast of your cybersecurity options. Enterprises must educate their users of the importance of cybersecurity,” said Evans. “While not the most glamorous or exciting of activities, it has to be done, just like cutting the lawn or paying your bills.”