The largest dump of compromised email addresses and passwords ever made publicly available was discovered a few days ago on a popular web site used for illegal file sharing. Just over 770 million passwords are in the dump and are thought to be the combination of data obtained from a plethora of compromises spanning from 2008 – 2019.
Analysis of the data dump indicates that 122 million passwords are included that have never been located before in any data dumps from a compromise; indicating that a large portion of the data is from compromises that are neither known about or have not been reported.
Whilst this is not the biggest compromise, Yahoo are known to have lost data for over 1 billion accounts, for example, it is the largest that has been made available for download and is likely to lead to a wide range of targeted password attacks on organisations who have data included in the dump. Our award-winning penetration team have highlighted the risks and the appropriate next steps for your organisation as per the below:
The risk is three-fold.
1) Corporate information could be in the data dump that includes email addresses that identify employees from your company along with the password set by the user at the time of compromise. If your users alter the same password incrementally, i.e. Monday1, Monday2, Monday3 etc then the user’s account may succumb to a password guessing attack, even if the password in the data dump is no longer valid.
2) If the data is from a corporate compromise and not from 3d party sites that a user has registered an account with using their corporate email address, then common and default password conventions can be ascertained for your organisation and used to produce a list of passwords in a more intelligent manner. This drastically increases the chances of a targeted password attack being successful.
3) If Multi-Factor Authentication (MFA) is not in use then your options for preventing a password attack are limited to mainly locking the account out after a number of failed logins or blocking the IP address; however, as a known password will be used as the starting point for the attack, there is a high chance a targeted attack could locate a valid password before these defences are triggered.
If you want to check if your email address or password is in the dump you can search the database online at https://haveibeenpwned.com/ – the web site will tell you if your credentials are in the data dump but it will not tell you where they were compromised from or tell you what the password was that was compromised.
Knowing “after the fact” that your password has been compromised is helpful, but it is usually too late to do anything other than change your passwords and hope they don’t get compromised again.
The best course of action is to conduct a regular Password Audit of your network to locate weak passwords, common password conventions, users who are incrementing their passwords when changed and any duplicated passwords/password reuse. Multi-Factor Authentication should be enabled on all login areas accessible over the Internet, i.e. Office365.
MTI can help conduct password audits, manage Privileged Access and review MFA on technologies such as O365. Please contact us for more information using the contact us form.
If you are not already subscribed to our security alert service – click here.