Massive Breach Exposes 773 Million Emails, 21 Million Passwords
With nearly 773 million unique emails and more than 21 million unique passwords exposed, “Collection #1″ is the largest public data breach by volume. It was discovered and reported Thursday by security researcher Tory Hunt, who maintains I have Been Pwned.
This massive collection of data harvested through data breaches had built up over a long period of time, so some of the account details are likely to be outdated now, said Sergey Lozhkin, security expert at Kaspersky Lab. However, it’s no secret that despite growing awareness of the danger, people stick to the same passwords and even reuse them on multiple websites, he said.
“What’s more, this collection can be easily turned into a single list of emails and passwords, and then all that attackers need to do is to write a relatively simple software program to check if the passwords are working,” he said. “The consequences of account access can range from very productive phishing, as criminals can automatically send malicious e-mails to a victim’s list of contacts, to targeted attacks designed to steal victims’ entire digital identity or money, or to compromise their social media network data.”
Neal Bradbury, Barracuda MSP‘s senior director of business development, said opportunities exist for MSPs to teach users about cybersecurity best practices and to articulate how they can keep customers’ business-critical data safe — whether that’s what they are doing now, or how they might scale up the precautions they take moving forward.
“Security-awareness training is an important tool MSPs and MSSPs can use to protect against and prevent threats such as business-email compromise and phishing attacks,” he said. “If having a client leverage [a] security awareness training program seems like an impossible feat, have them type their email address into haveibeenpwned.com and see what happens.”
Channel partners can reduce the risk of breaches by deploying technologies to protect their end users’ customer data, Bradbury said. In vertical markets such as health care or financial services, this is especially important due to regulatory and compliance mandates. As no solution is bulletproof, a layered approach to security is what most channel partners leverage for their clients.
“Unfortunately, once a breach occurs that contains an email address and other pieces of information, it is possible for phishing and whaling attacks to occur,” he said. “Now knowing that these attacks could occur, a channel partner needs to leverage solutions to help a user block these types of threats.”
John Gordineer, SonicWall‘s director of product marketing, said the channel can “absolutely” be doing more, MSSPs included, by making sure that they are keeping their services up to date and evaluating vendors that provide the most complete, layered security solution.
“In addition, there are a couple of simple solutions,” he said. “The first is ensuring proper password hygiene. So users should never use the same password on multiple sites and admins need to enforce strong password requirements. Another simple solution is ensuring proper password storage. This means encrypting passwords; this isn’t always the easiest task, but it must be done. While encrypting passwords, be sure to develop strong defenses for this treasure trove of information — the value of your organization’s data should be the basis of your security budget. Spend more on the value of your data, because security risks are risks to your business at the end of the day.”
Two-factor identification isn’t perfect, but it’s an effective speed bump that can stop low-level attackers, Gordineer said.