We trust internet giants with some of our most sensitive information: personal and business communications, documents, financial transactions, social and dating profiles, medical information and the list grows with every new feature and service we’re offered. But this incredible new level of trust in corporations comes with an often-overlooked dark side. In many cases, the only thing standing between evil hackers and our seemingly secure data is only a short string of characters.
Yes, in 2020, many services still rely on plain passwords to protect user accounts against unauthorized access. And as the numerous hacks have shown in the past decades, passwords are a recipe for disaster.
In most cases, security experts advise users to choose unique, long, and complex passwords to avoid brute-force attacks and credential stuffing hacks. However, a strong password will be of no use when the company that is in charge of protecting your account gets hacked and spills your passwords into the dark web.
Smaller companies get hacked more often, but this doesn’t mean that tech giants are not vulnerable. In fact, password data breaches at large tech companies, albeit less frequent, are much more destructive. They result in loss of data, trust, and reputation. And sometimes, the extent of the damage is so much that the victims can’t recover from it.
Here are a few examples of how bad security practices led to the exposure of many user credentials.
Large companies are run by humans—and humans make errors
In 2018, malicious hackers found a security hole in Facebook’s “View As” feature that enabled them to gain access to the authentication tokens of any user. The flaw remained hidden for months and Facebook’s engineers discovered it only when they noticed an unusual volume of use of their application programming interfaces (API) to access the feature. By that time, the hackers had exploited the flaw to gain access to more than 30 million user accounts.
The episode resulted in a major public relations fiasco for Facebook, and the social media giant found itself in hot water (for the nth time), facing several class-action lawsuits from outraged users.
Even Apple, which is often touted as the manufacturer of some of the most secure devices and applications, can make these kinds of mistakes. In 2017, a security flaw in the iOS mobile operating system enabled hackers to gain access to steal passwords and other sensitive data from users’ iCloud accounts. The episode reminded us that even end-to-end encrypted passwords can get hacked.
When big companies get hacked, it’s really big
In December, Microsoft published a notice that 44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking due to the use of compromised passwords. The company did not reveal if there were any recent breaches, it explained that its threat research team had made the discovery after consolidating and analyzing data from various breaches, and forced a password reset for affected users.
Only months earlier, Microsoft had reported that the credentials of one of the support agents of its email service, Outlook.com, was compromised, giving hackers access to some customer accounts. While the company was quick to say no user accounts were stolen, it did admit that the hackers had gained access to email addresses, folder names, and subject lines of emails. Those are the kind of information that can prove to be devastatingly important in phishing attacks.
In late December, it became known that the login details of more than 3,500 user accounts of Ring, a smart-home security company owned by Amazon, had been compromised. The attackers had been able to gain access to home addresses, payment information, as well as live camera feeds and video histories. While Amazon claimed that it hadn’t been directly breached, it was obvious that it hadn’t put safeguards in place to prevent password hacks.
Microsoft and Amazon are not the first tech giants to comes to grips with password breaches. Search giant Yahoo suffered a 3-billion-password hack in the 2013-2016 period, which dealt a heavy blow to the company’s reputation, especially as it was in the process of negotiating an M&A deal with telecom giant Verizon. The disaster knocked $350 million off Yahoo’s valuation, a heavy price for a company that was already struggling financially.
Tech companies are bad at storing passwords
In an incident that happened this January, an Amazon Web Services (AWS) engineer accidentally stored a cache of passwords, AWS keypairs, and private keys in a public GitHub repository. The 954MB blunder, discovered by UpGuard, contained the sensitive account information of thousands of AWS customers. While this was probably an accident, there have been cases where AWS workers have intentionally stolen customer data for malicious purposes.
Last year, Google fell short of its self-imposed standards in a security lapse that involved the storage of unhashed G Suite passwords. The company made the announcement in a blog post published in May. While the company took quick measures to solve the issue, it also admitted that the issue had persisted since 2005. “This practice did not live up to our standards,” Suzanne Frey, VP of Engineering at Cloud Trust, admitted in a blog post.
In March, security researcher Brian Krebs reported that the account passwords of hundreds of millions of Facebook had been stored in plain text and were searchable by thousands of the company’s employees. In some cases, the passwords had been in this state since 2012. How did it happen? The company’s engineers had built internal tools in which they logged unencrypted passwords. It was reported that between 200 million and 600 million user passwords had been exposed this way.
Companies are realizing the dangers of passwords
With the financial, reputational, and technical costs of password hacks rising, tech companies have been in a race to find a fundamental solution that will protect their business against these devastating security incidents while also provide a convenient experience for their users.
And obviously, the most secure password policy is one that ditches passwords altogether. With passwords eliminated from the authentication process, the threat of credential theft on the device, in transition, and in persistence, becomes a thing of the past. While large tech companies get the most highlight and scrutiny when it comes to security incidents, the transition to passwordless authentication should be among the priorities of every organization.
There have been very fruitful efforts in this space in the past few years. Some of them have been led by individual companies, such as Microsoft Hello and the Google Prompt on Android. Others have been industry-wide, such as the FIDO Alliance’sauthentication standards FIDO, FIDO2, and WebAuthn.
Fortunately, these initiatives have made it easier for all organizations to get on board the passwordless MFA movement.