1.2 Billion Passwords Compromised — Now What?
As businesses across the world scramble to secure their logins following an extensive cyberattack by a group of Russian hackers, security experts are advising people to change their login credentials immediately.
On Wednesday, The New York Times reported that the shadowy group of hackers had compromised up to 1.2 billion logins, covering 500,000 email addresses from 420,000 websites.
But by Thursday, these dramatic numbers had drawn skepticism from publications such as The Wall Street Journal and Forbes, which say the estimation of the attack’s scale doesn’t appear to hold up to scrutiny.
Meanwhile, Hold Security, the primary source for The New York Times story, seems to be capitalizing on the panic by charging $120 a year for a service that allows people to determine whether they’ve been affected by this attack, according to The Verge.
As the dust settles, security experts say there’s no reason not to beef up your online securities with a password refresh.
To dig deeper into the potential impact of such a cyberattack and how the average consumer should respond, BizTech spoke with security analyst Jerry Irvine, CIO of Chicago-based Prescient Solutions.
BIZTECH: What is the immediate impact of a hack of this scale? What are companies doing to mitigate the damage?
IRVINE: First, the proverbial horse is already out of the barn. Organizations that were hacked are reviewing their systems to determine the means used to gain entry and access to their systems, assure that any unauthorized access has been detected and eliminated, how to mitigate the potential for breach in the future, and the extent of the breach.
They will also have to notify all users who were [affected] or whose data was potentially affected. Finally, depending on the nature of the data, they may have to provide identity theft protection and coverage to some subset of the affected data’s users.
BIZTECH: Assuming people have been affected, what should they do?
IRVINE: Since over 1 billion people’s data across hundreds of thousands of websites is at risk, the potential is great that your data has been compromised. So, regardless of whether a user knows they are affected or not, everyone should take this opportunity to minimally change their passwords.
When possible, users may want to delete their existing accounts and create new accounts with a different user ID. Users should not use their email address as an ID. Email addresses are too public and easily found. Create individual, unique IDs and passwords for all accounts. Users should not store their credit card or financial information on websites when at all possible. Rather, if possible, you should use a payment site or application, or enter financial information into systems, but never save the card data.
Also, users should never save passwords for sites in their browser. This information is easily compromised via malware and viruses and is [among] the first data captured by hackers from end users’ PCs, laptops, tablets and cellphones.
Additionally, you should enable a secondary security method. Sites have the ability to text or email a specific device or account once a user logs in to provide an additional level of security. This is a means of multi-factor authentication, which requires something you know (ID and password), something you have (a cellphone or email account to receive a confirmation text or email), or something you are (biometric). Multi-factor authentication should be used whenever possible.
BIZTECH: How are these kinds of login-targeted attacks changing the landscape of online security? With the number and rate of these occurrences, on top of the Heartbleed exploit, is anything truly safe behind a login and password anymore?
IRVINE: The issues range across applications, websites and security devices. Lazy password practices make it easy for hackers to use password dictionaries and brute-force attacks to gain access to individual systems.
But the real problem with a password is the practice of reusing them across multiple sites, applications and systems. Even when a user creates a large, complex password with upper- and lowercase, numbers and special characters, it is useless if they use it everywhere, because once the hacker has it, they use it to break into everything.
Some additional means of user authentication, even above multi-factor authentication, needs to be developed. Perhaps a government- and private-sector-sponsored user-authentication clearinghouse — which provides not only authentication controls, but also provides controlled and secured media access, such as VPN, to provide additional levels of access controls in order to assure that the user is who they say and where they are.
BIZTECH: There’s been debate over the most effective and practical password format. Do you favor long, easy-to-remember passwords or shorter, dense and tough-to-recall passwords?
IRVINE: Passwords should be at least 10 characters in length and be complex in nature, including upper- and lowercase, numbers and special characters. Nevertheless, the complexity of a password that never changes does not protect the user if the password is stolen from a website. Additionally, any one form of authentication provides little security. Whenever possible, at least two forms of authentication should be used.
BIZTECH: If this is the new norm, how do you see the cybersecurity field evolving over the next five years? What security measures will receive priority?
IRVINE: Cybersecurity is already changing from the legacy perimeter-detection-based systems that we have used forever. Antivirus, firewalls and intrusion-detection systems are designed to detect cyberattacks when they happen, and attempt to block them or clean them after the fact. New cybersecurity solutions must be preventative solutions designed to protect data, mitigating the possibility of a cyberevent. The prioritization of cybersecurity moving forward is being placed directly on preventative security solutions designed to protect systems and end-user data rather than on detection-based solutions designed to guard the perimeter of the network.