We explore some of the most significant password-related breaches of the last year, including their causes and consequences, to help stop you from falling victim to a similar attack.
Expert Insights / May 06, 2021By Caitlin Jones
User credentials are the keys to your organization’s data kingdom, and it’s crucial that you keep those keys safe. That means not only educating users on good password practices, but enforcing them organization-wide. Failure to do this leaves your doors unlocked for bad actors who are trying to access your corporate data.
Unfortunately, a lot of us are pretty bad at keeping our corporate credentials safe; last year, over 80% of hacking-related breaches involved the use of brute force or compromised credentials. To protect yourself from credential-related breaches, you need to understand why they happen and how they work.
We’ve put together a list of some of the most significant password breaches and hacks of the last year, so that you can learn from these victims’ mistakes.
In March, the Marriott hotel chain announced news of a data breach that they’d discovered in late February, allowing an “unexpected amount” of guest information to be jeopardized. That “unexpected amount” was the data of 5.2 million guests who had used one of the company’s loyalty applications.
Cybercriminals obtained the login credentials of two Marriott employees, and used those credentials to steal customer data from a third-party guest services application. The stolen data included phone numbers, email addresses, workplaces, personal information and linked account data.
The 2020 Marriott attack came just two years after the chain experienced another breach linked to its parent company, Starwood Hotels, in which the data of 500 million guests was compromised.
Marriott was fined 18.4 million pounds for the data breach—a price that could have been avoided simply by enforcing better password practices.
Marriott wasn’t the only company to experience a cyberattack early last year. On February 21st, Slickwraps, a Kansas-based store that creates protective skins for cell phones and tablets, fell victim to a breach that compromised data stored in an unprotected database, comprising customer names, addresses and email addresses.
The Slickwraps hack was no ordinary data breach; it was carried out by two self-proclaimed “white hat” hackers, i.e. ethical hackers who use their powers for good, rather than for evil. The story went a little something like this:
Hacker One, who goes by the handle Lynx0x00, discovered a vulnerability on one of Slickwraps’ webpages that would allow an attacker to access employee and customer information, as well as execute shell commands that would give them the credentials to the company’s entire MySQL database.
Lynx0x00 notified Slickwraps of the vulnerability via Twitter.
On receiving no response from Slickwraps, Lynx0x00 posted on Medium about the vulnerability and how to exploit it.
Hacker Two read Lynx0x00’s Medium post, exploited the vulnerability, and emailed over 350,000 customer addresses from the unprotected database using a Slickwraps email address.
5. Once they discovered the breach, Slickwraps closed down the compromised database and promised to improve their security processes going forward.
The Slickwraps hack received a divided online response. Some criticized the company’s poor security architecture and lack of response; others criticized the vague ways in which the hackers attempted to notify Slickwraps of the vulnerability and how they breached them, rather than contacting them directly to explain the issue clearly.
Antheus Tecnologia Biometrics
In March, the Brazilian biometric verification company Antheus Tecnologia experienced a breach of data stored on an unsecured server. The server contained 76,000 unique fingerprint records, as well as email addresses, telephone numbers, and admin login credentials. While the server didn’t contain fingerprint scans themselves, the compromised information comprised 2.3 million data points that an attacker could reverse-engineer to recreate those scans.
Biometric authentication is widely considered to be one of the strongest methods by which a user can secure their account, due to the difficulty involved in stealing someone’s biometric information. However, if a bad actor does manage to get hold of that information, such as in a breach like this, the user cannot change it. You can update a password, but you can’t swap out your fingerprints.
Spring 2020 brought with it April showers and—rather more alarmingly—two huge credential stuffing attacks. The first of these involved gaming giant, Nintendo. Hackers used a credential stuffing attack to gain access to over 300,000 player accounts that were “protected” by weak or reused passwords. Once they were in, the attackers used the stored payment information from those accounts to illegally purchase valuable digital products. They may also have accessed personal information such as email addresses.
Nintendo responded to the attack by disallowing users to log in to their accounts via their Nintendo Network IDs, and encouraging them to set up two-factor authentication for an extra layer of protection.
Around the same time, Zoom experienced a similar breach. Just as millions of users around the world were becoming comfortable with using the videoconferencing service to keep their work and social lives connected, half a million stolen user credentials became available for sale on the dark web. Cybercriminals used these login details to attend meetings and steal personal information from the account holders, such as their contact details.
The credential stuffing attacks used to steal the credentials could have been prevented had users implemented better password practice, such as creating a strong, individual password for each of their accounts.
In May, the security research team at Safety Detectives announced that they’d discovered a leak of almost 11 billion data records from adult entertainment platform, CAM4. The exposed data was stored in a web-based server without password protection, and included user password information, email addresses, IP addresses, chat records and other sensitive information that could be used in spear phishing attacks, or as leverage to extort money.
CAM4’s parent company, Granity Entertainment, responded quickly to the breach, shutting down the database within half an hour of being notified by the Safety Detectives team. While there’s no evidence that bad actors had accessed the database, the consequences of a breach could have been catastrophic for those impacted. As a result of such a breach, affected users could experience payment fraud, blackmail, and be at risk of credential stuffing attacks—particularly if they’d reused their CAM4 password elsewhere.
Around the same time, Fortune 500 healthcare company Magellan Health fell victim to a ransomware attack in which over 365,000 patient records were compromised, including social security numbers, W-2 or 1099 information and employee login credentials. The attackers initially installed malware internally to access employee login credentials, then managed to gain access to a corporate server via a phishing attack. It was at this point that they installed the ransomware.
Medical data is extremely valuable to attackers, due to the highly personal and sensitive nature of the data. Because of this, it’s one of the top five types of data that are most commonly breached in a social engineering attack. Personally identifiable information (PII) is also the most expensive type of compromised data, and breaches involving PII loss cost an average of four dollars more per stolen record than those that don’t involve PII.
For this reason, it’s crucial that organizations such as Magellan Health, who handle personal customer information, implement strong identity and access security measures and train their employees on how to detect and respond to phishing attacks.
Unfortunately, May saw yet another alarming breach that involved the leaked data of over 40 million users of the mobile app, Wishbone. The hacking group ShinyHunters gained access to a database containing usernames, email addresses, passwords, phone numbers and location information, and leaked this data on the dark web.
A number of the passwords stored in the database were hashed using the MD5 algorithm, which has been considered unsafe for more than ten years. It takes only 30 minutes to crack a moderately complex password encrypted with MD5.
The most concerning thing about this breach is the demographic of users whose information was leaked: Wishbone is a survey app that enables its users to vote for their favorite social content, from TikTokers to hairstyles—like a digital game of “Would you rather”. As such, it’s largely popular amongst a teenage audience.
The final breach on our list was suffered by social media giant, Twitter. On July 15th, a number of Twitter employees fell victim to a phone spear phishing, or “vishing”, attack, which enabled the attacker to access the company’s internal systems and steal the credentials of further employees with access to Twitter’s account support tools. Using these credentials, the attacker was able to access 130 Twitter accounts, including those of high-profile users such as Elon Musk, Barack Obama, Joe Biden, Bill Gates and Jeff Bezos, and post on these accounts asking for bitcoin transfers to multiple wallets. Through 400 transactions, the hackers managed to steal 121,000 dollars’ worth of bitcoin—#yikes.
In response to the breach, Twitter promised to “further secure” their systems and implement “additional companywide training” and “ongoing phishing exercises” throughout the year to safeguard against future attacks.
As highlighted by these examples, password-related attacks can have disastrous consequences, not only for your organization directly but also for the customers that are trusting you to keep their data safe.
One of the best ways to protect your organization against password hacks is by implementing a password manager. Password management solutions, according to Craig Lurey, CTO and Co-Founder of Keeper Security, “give IT and security administrators complete visibility into employee password practices and the ability to enforce password security policies organization-wide, such as using strong, unique passwords for every account and enabling multi-factor authentication on all accounts that support it.”
But technical support alone isn’t always enough to stop the most sophisticated attacks, particularly if not all of your employees are using the solution properly. For this reason, as well as using a password manager, we recommend that you train your employees on how to recognize and respond to phishing attacks by implementing an engaging security awareness training solution.
There are a number of password managers out there that help prevent you from falling victim to a big bad breach, but it can be difficult to work out which one best meets your business need. To help you make this decision, we’ve put together a guide to the top password management solutions for business.