2016 – yet another ‘year of the data breach’?
Data breaches and credential compromise are nothing new. It seems every year for the past three years has been declared the “year of the data breach,” in some hope that a summit of data breaches has been reached. But then again, each year data breaches continue to be revealed in startling numbers and frequency.
So what do we call 2016, when we have witnessed even more data breaches made public, including LinkedIn, MySpace and Dropbox? It seems data breaches are no longer rare events; they are the norm and something that all businesses must face and deal with.
Indeed, breaches are getting industrialized on a scale never seen before. Just look at the reports that suggest the Yahoo data breach included the details of half a billion users. If nothing else does, this clearly shows how threat actors can use this huge amount of data on an industrial scale.
For companies that were the victims of breaches, there are clear reputational, brand, and financial implications.
In our recent report, “Compromised Credentials, Learn From the Exposure of the World’s 1,000 Biggest Companies”, we analyzed some of the world’s largest companies and found that 97 percent had suffered some sort of leak. This was amounting to more than 5 million leaked credentials.
Many of these organizations have suffered from the “collateral damage” of the initial breaches of these companies because an alarming number of employees have reused corporate emails and passwords while accessing a range of services and applications, including gaming and dating websites.
For example, the breach of the adultery website Ashley Madison revealed there were more than 200,000 leaked credentials from the top 1,000 global companies in the Forbes Global 2000.
Credential compromise is not new, but the frequency of appearance of compromised credentials online has increased. Dumps of stolen credentials are regularly sold, traded and shared online across paste sites and online marketplaces. For example, actors using the names “Peace of Mind” and “Tessa88” recently thrust themselves into the media limelight following the public release of the LinkedIn and MySpace databases.
We have also seen “thedarkoverlord” offering multiple healthcare databases on the Real Deal marketplace and, more recently, the claimed Dropbox leak. As demonstrated by the LinkedIn and Dropbox breaches, which were made public four years after the initial breach, there are likely many more credentials circling in underground forums that are yet to be made public.
As a result, the number of compromised credentials that are available online is staggering, providing a goldmine for attackers. With this in mind, it is unsurprising that one report claimed that breached credentials were responsible for 63 percent of data breaches.
Not all credentials are created equal. In the criminal underworld there is different value to credentials depending on their freshness, recoverability of the passwords, sensitivity, transferability, etc. But often the same credentials can be hawked around for months and even years after the initial breach as the hacker and his associates try to milk the value out of them as much as possible.
The types of credentials also impacts how the threat actors use them. Whether that be for account takeover, extortion/ransomware, or credential stuffing.
The report shows that the top breaches were, somewhat unsurprisingly, social media platforms. Indeed, LinkedIn, MySpace and Tumblr breaches were responsible for a respective 30 percent, 21 percent and 8 percent of the total credentials.
While the number of credentials leaked online for the world’s 1,000 biggest organizations is staggering. It is important to remember that this is not the whole picture and does not provide an exhaustive list. In fact, organizations are likely further exposed by third parties and suppliers. In reality, credential compromise affects organizations of all sizes.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!