Why are foreign governments apparently after my details?
The news that Yahoo had lost over half a billion of its users personal details in a prolonged data breach some time ago has left many people wondering why the suggested Nation State blamed, or anyone else for that matter, was after their information.
After all, what possible use could your email address and even password be to a major government of the world?
We know that the most common targets of mass credential breaches, such as Yahoo are social media and entertainment sites, but again why would a Nation State be interested in this?
The reason is several-fold.
First of all, we know that many people use the same usernames and passwords for multiple websites, apps and accounts, so when you get hold of one, you potentially have access to many.
Second we know that too many people use their business emails and passwords for other services and, when these services were breached, it also revealed their credentials. A report we released this week looking at credential leaks in the Forbes 1,000 companies found a large number of corporate credentials being used by employees on a wide variety of strictly “non-business” websites like gambling, gaming, and even dating sites.
The report reveals that dating websites were surprisingly high, especially as many credentials used for these sites were corporate accounts. Ashley Madison, Adult FriendFinder, and Mate1 were the top three examples of this.
Of course, these are the details particularly useful to the cybercriminals acting alone or for world governments and they can easily utilize them to target the companies and even the governments we work for. And of course it is these that are the real targets of the industrialize cybercriminals attacks and we are the unwitting accomplice in the crime.
The third reason these sorts of details are useful to cybercriminals is that by accessing them they can build up a picture of us which helps with their targeted cyberattacks and phishing attempts. If they discover that we have a passion for, say, fishing, then how much easier is it for them to get us to open an email from them that talks about the latest rods and baits but actually downloads some sort of malware or keylogger software? The answer is very easy indeed.
What we should learn from news like Yahoo’s breach is that we need to take responsibility for our own cybersecurity. We need to ensure we operate good password discipline that means we use complex and hard to guess words and phrases. And we change passwords on a regular basis and use different ones for different sites.
While that might seem difficult for most of us to remember, there are security tools on the market when enable you to securely store you various password in an encrypted digital vault which will deter most cyber attackers. Or where available, we make sure to use two- or three-factor authentication that uses a separate token or verification technique.
Businesses and companies also have a responsibility here. They need to ensure that staff cannot use their corporate details to log onto external websites and receive the necessary training to understand why this is potentially an issue to the company and them as individuals.
Organizations also need to ensure they proactively monitor for credential dumps relevant to their accounts and evaluate these leaks to determine if they are new or have been previously leaked.
Intelligence and education is key here to making the online experience safer for companies and individuals alike. Until both are addressed breaches like Yahoo will remain the tips of the cyber-iceberg.