Tag Archives: Data Breach

A new study was published by researchers from the Carnegie Mellon University’s Security and Privacy Institute and was presented at the 2020 IEEE Workshop on Technology and Consumer Protection.

The study has grim news for IT Security Professionals.

The key finding in the report is that only about one third of users will change their passwords after a company announces a data breach. This information was based not on survey responses, but on browser histories collected from the 249 participants who volunteered to open up their browser history for the purpose of the research.

The browser history data was collected between January 2017 and December 2018 and included both a complete map of all of the websites each participant visited during that time, and the passwords used by each user to access sites that required a login.

Over the course of the study, only 63 participants had accounts on breached domains during the data collection period, and of those, only 21 (33 percent) changed their passwords. Worse, 6 of the 21 took longer than 3 months to do so.

If that wasn’t disheartening enough, most of the changed passwords were highly similar to the old password used. They were similar enough that simple brute-force techniques would be successful in giving a hacker access to the accounts in question, even after the password change.

It should be noted that this study was quite small in scale and limited in scope, so additional studies should be conducted to see if the trend holds up over time. However, it does provide a valuable, and worrisome data point that should give IT Professionals pause.

Education is the best way to combat this, but few companies spend the time and resources necessary to truly impart the seriousness of the consequences of a data breach. In addition, the message simply isn’t getting through. That’s unfortunate, and it could have tragic consequences, both at the personal and Enterprise level.

Do you have an account on LiveJournal?

If so, you may have heard the persistent rumors that have been circulating since 2014 that the company was breached and some 33 million user records were stolen.

To this day, LiveJournal denies that they were breached.

Unfortunately, this month (May, 2020), a database containing 33,717,787 records, each with a unique user record, has been found circulating free of charge on the Dark Web. The database contains usernames, email addresses and plain text passwords. Given this fact, despite what LiveJournal may claim, it seems that they were indeed breached.

If there’s a silver lining to be found here, it lies not with LiveJournal’s response, but with the fact that the database is more than six years old. Even if you have an account on the site, odds are excellent that you would have changed your password at some point in the intervening six years. Just to be safe, however, even if that’s the case, the safest course of action would be to change it again.

It’s also worth repeating that if you’re in the habit of using the same password across multiple web properties, and you recycled your LiveJournal password on some other website, you’ll need to reset those passwords as well. This would also be an excellent time to break yourself of that habit. Start using different passwords on every website you access and enable two-factor authentication protocols everywhere you can.

Sadly, LiveJournal’s response to the existence of the database has been to double down on their denial, but the evidence that a breach occurred seems overwhelming. The account information had to come from somewhere, after all, and the record count aligns almost perfectly with the persistent rumors. Even though this is an old breach, change your LiveJournal password right away, just to be safe.

Thanks to the pandemic, tens of millions of people are working from home.

Even before then, the Cloud was experiencing a tremendous amount of growth, but since shelter in place orders were issued by many governments around the world, growth has absolutely skyrocketed.

This has drawn the attention of a number of hacking groups, which have taken an increased interest in gaining access to Cloud resources, stealing login credentials and then making off with a wide range of sensitive data.

According to statistics gathered by McAfee, the number of attacks aimed squarely at Cloud services have increased by a whopping 630 percent between January and April of this year.

Broadly speaking, the attacks come in two basic flavors:

First, logins from anomalous locations that haven’t previously been used and is not familiar to the organization.

Second, what researchers are calling ‘suspicious superhuman’ logins, which are defined by multiple login attempts in a short span of time from locations scattered across the globe. For instance, you might see one login attempt made in South America with another, a few seconds later, in Asia, and so on.

Rajiv Gupta, the Senior Vice President For Cloud Security at McAfee, had this to say about the company’s findings:

“The risk of threat actors targeting the cloud far outweighs the risk brought on by changes in employee behavior.”

The good news is that there’s a relatively simple way for organizations to reduce the risk to near-zero. Simply enable two-factor authentication and the vast majority of these types of attacks will be doomed to fail.

The bottom line is that the risks are increasing and that’s not likely to change anytime soon. Stay on your guard and make sure your people are aware. Phishing scams are the most common means of gaining access to login credentials.

The hacking group calling themselves ‘The Shiny Hunters’ has been busy.

Recently, they put databases containing user records from eleven different companies up for sale on the Dark Web, including a massive database containing some 40 million records belonging to the popular Wishbone app.

Wishbone is a social media platform that’s especially popular among children. It allows users to compare two items by way of a simple poll. The database was initially being offered for 0.85 bitcoin, which is, at the time this article was written, worth approximately $8,000.

Only days after the database was originally offered for sale, it appeared elsewhere on the Dark Web in its entirety, for free. The information it contains includes usernames, email addresses, phone numbers, geo-location data, hashed passwords, and profile data, including links to uploaded user photos. That’s bad news indeed for any parent, because again, this app is especially popular among children.

A closer inspection of the records the database contains reveals that the hashed passwords are only weakly encrypted, using MD5, which can easily be broken using freely available tools, putting every one of the 40 million users identified in the database at risk.

If you’re not sure if your child has downloaded Wishbone, it pays to double check immediately. Be sure to change the password on any account you or your children may have associated with the account.

For the company’s part, a notice recently went up on the Wishbone website that read: “Protecting data is of the utmost importance. We are investigating this matter and will share any significant developments.”

Unfortunately, the most significant development is that some 40 million of the app’s users are now at risk. Don’t take any chances. If you or your kids use this app, change your password immediately and be on the alert for phishing emails sent to any email address referenced in your Wishbone profile.