Big Credential Breaches

Shimrit Tzur-David | February 12, 2019

In today’s digital threat landscape, large-scale information compromise is no longer big news.

Averaging one a month, hackers have consistently managed to execute major breaches against organizations the world over, resulting in millions of compromised identities

But the sheer scale of the most recent mega breach makes it something unique.

Dubbed Collection #1 by its discoverer Troy Hunt, the breach amounts to nearly 773 million exposed usernames and passwords. The database was uploaded in a post to an unnamed dark web hacking forum. Hunt subsequently organized these files in a publicly viewable Pastebin file.

Hardly a Surprise

Needless to say, the industry was in awe over the size of this breach. The broader implications of Collection #1’s discovery is that there are likely scores of other databases like it, credential troves that are being bought, sold, and traded every day on hacking forums.

But this massive collection of stolen credentials being uncovered should hardly surprise anyone. Credentials have for long been the weak link in the security chain. For years, the overwhelming majority of hacks have been the result of stolen passwords. As long as identity security is dependent on a piece of information users need to safeguard, cybercriminals will find a way to obtain it.

Then of course there’s the human factor. Either by inadvertently exposing their passwords, or entering them via an insecure medium, users regularly put their credentials at risk. An organization that entrusts users to control their authentication details is inviting hackers.

An Accumulating Threat

When most businesses hears news of a breach, their first response is to assume that it affects the broader consumer market, not the organization.

Companies need to step out of this mindset of immunity.

Using a three-step process, hackers can use large compilations of credentials to maximize the amount of illicit access they can achieve, and wreak havoc on businesses.

Step 1) Credential Stuffing

Once cybercriminals have amassed a good amount of spilled usernames and passwords, they use a program called an account checker to test the stolen credentials against a multitude of websites, usually high value sites such as social media platforms or online marketplaces. Statistically, 0.1 to 0.2 percent of total logins in a well run stuffing campaign are successful. That may sound like a miniscule amount, but when running hundreds of thousands of credential sets against dozens or even hundreds of sites, those successes add up and when dealing with a breach of over 700M those numbers are in the hundreds of thousands.

Step 2) Corporate Account Takeover

Corporate Account Takeover is a type of business identity theft where cyber thieves gain control of key company accounts assuming its identity and privileges. These are typically accounts of senior officials, that grant them special privileges to manipulate company data and/or assets. Once hackers successfully gain access to such an account through a stuffing campaign, they can then assume the privileged identity in order to move through the organization unabated.

Step 3: Privilege Escalation

Once attackers have gained access to a corporate account, they then look for a vulnerability, design flaw or configuration oversight to gain elevated access to protected resources from the user level up to the Kernel level. Then allows them to manipulate or steal data, and even make monetary transactions on the company bill.

Going Passwordless

The revelation of Collection #1 is just the latest reminder on a hard truth of digital authentication: as long as there is a human factor, identities will be at risk.

The single most effective step to secure accounts and protect networks is to circumvent all the vulnerabilities associated with password-based authentication. Adopting a passwordless multi factor authentication (MFA) solution means no more risk of credentials being compromised by accidental exposure, and no more password theft via traditional methods such as phishing schemes.

But going passwordless offers more than security advantages. User experience for all account holders is increased exponentially, as users are no longer required to remember passwords, abide by complex password policies, or run the risk of being locked out when a password is lost or discarded.

The Octopus Approach

The Octopus Authenticator of Secret Double Octopus is the only passwordless solution offering seamless, mathematically unbreakable authentication.

Octopus Authenticator is fully scalable to any organization and can be integrated into all enterprise cases and tools. This means no service within the network is left to rely on user-controlled passwords.

To address the needs of today’s mobile and off-site workforce, the Authenticator allows for both offline and online access.

Octopus provides the very highest in authentication assurance while removing password related costs and the pains of memorized secrets.