User credentials are the keys to your organization’s data kingdom, and it’s crucial that you keep those keys safe. That means not only educating users on good password practices, but enforcing them organization-wide. Failure to do this leaves your doors unlocked for bad actors who are trying to access your corporate data via an account compromise attack.
Unfortunately, a lot of us are pretty bad at keeping our corporate credentials safe; last year, over 61% of data breaches involved the use of brute force or compromised credentials. To protect yourself from credential-related breaches, you need to understand why they happen and how they work.
We’ve put together a list of some of the most significant password breaches and hacks of the last year, along with recommendations on how to prevent something similar happening to your organization.
This list includes:
- Ticketmaster, January 2021
- DailyQuiz, January 2021
- SolarWinds, February 2021
- Microsoft, March 2021
- Verkada, March 2021
- New York City Law Department, June 2021
- GoDaddy, November 2021
At the very beginning of 2021, Ticketmaster pleaded guilty to a charge of repeatedly and illegally accessing competitors’ computers.
Ticketmaster admitted that an employee who previously worked for a rival company handed over to Ticketmaster executives confidential internal documents that he’d kept from his former employer, as well as the login credentials for multiple corporate accounts that the rival company used to manage ticket presales. The employee even demonstrated—at a division-wide summit attended by other Ticketmaster employees—how to hack into an account at the rival company using the stolen credentials.
In a statement, Acting U.S. Attorney DuCharme said, “Ticketmaster employees repeatedly—and illegally—accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence.”
Ticketmaster was charged with violations of the Computer Fraud and Abuse Act, computer intrusion for commercial advantage or private financial gain, computer intrusion in furtherance of fraud, wire fraud conspiracy, and wire fraud. As part of a deferred prosecution agreement, the ticket sales company had to pay a $10 million fine to resolve these charges.
Unfortunately, attacks like this aren’t all that unusual. Because of this, it’s important that organizations encourage their users to regularly rotate their login credentials, either enforcing it via a password policy or by implementing a privileged access management (PAM) solution. PAM solutions auto-rotate the credentials to high-tier business accounts, preventing users with outdated credentials from logging in unauthorized.
Ticketmaster wasn’t the only company to make cyber headlines early last year. In January, quiz website DailyQuiz (formerly ThisCrush) suffered a breach that gave hackers access to a database of almost 13 million accounts. The attackers stole the plaintext passwords, email addresses and IP addresses of 8.3 million users and put them up for sale on the Dark Web, eventually making its way into the public domain in May having been exchanged through different data brokers.
Storing sensitive user details in plaintext is a mistake that too many organizations make. No database is fully secure and, if a hacker does manage to tap into your database, encrypting the data stored there will render it indecipherable—and unusable—to them.
In February, U.S. government agencies were compromised in a series of nation state attacks as a result of a supply chain attack involving software from SolarWinds. Hackers exploited a vulnerability in the cybersecurity provider’s network monitoring software, allowing them to laterally infiltrate companies that were using that software and gain access to their email communications.
While it hasn’t been confirmed, current and former SolarWinds employees report that the root cause of the supply chain attack was a weak password: an intern had been using the password “solarwinds123”, and that password was publicly accessible via a misconfigured GitHub repository.
You might think it an anomaly for a user to choose such a simple password but, unfortunately, poor password practices run rampant among many organizations. “123456”, “qwerty” and “password” continue to consistently top lists of the most commonly used passwords—and when those passwords are reused across multiple accounts, it makes it all-the-easier for an attacker to gain access to sensitive corporate information.
To encourage users to create stronger passwords, you should enforce a password policy which outlines requirements for password or passphrase length, requires users to change passwords after a compromise, and locks users out after a specified number of failed login attempts. You should also create a password deny list to prevent users choosing common, weak passwords.
As Winter turned to Spring, reports of credential-related cybercrime continued to make headlines. On March 2nd, Microsoft stated that it had suffered a cyberattack at the hands of Chinese hacking group Hafnium. The attack targeted hundreds of thousands of on-premises servers across United States that were running Microsoft’s Exchange email software, and affected local governments and government agencies as well as businesses, exposing the email communications of each affected organization.
Hafnium gained access to the on-prem servers in two ways: via an undisclosed Exchange vulnerability, and by using stolen passwords. Once they accessed the servers, Hafnium created web shells around them, emailing them to steal email data remotely.
In response to the attack, Microsoft released patches for the exploited vulnerabilities, but organizations running Exchange still need to take steps to deploy those patches. We also recommend that affected organizations encourage users to rotate their login credentials, and implement multi-factor authentication (MFA) to ensure that an attacker cannot access a user’s company accounts, even if they manage to steal that user’s password.
Shortly after the reports of the Microsoft Exchange breach, security company Verkada fell victim to a cyberattack that resulted in hackers gaining access to customer data—including over 5,000 security cameras, giving them inside views of hospitals, jails, schools, Equinox gyms and Tesla factories and warehouses. Eight of those customers had Access Control product data breached, such as badge credentials, and a separate eight had their WiFi credentials breached.
The hacking collective breached Verkada’s systems using an admin password leaked online in a misconfigured customer support server. While they accessed customer cameras and Verkada’s sales orders, the hackers were unable to break into Verkada’s internal systems.
Verkada cut off the hackers’ access within two hours of discovering the breach, and notified their customers within six hours.
Once again, it’s critical that databases containing sensitive information are correctly configured and that the data they hold is encrypted to help prevent hackers accessing that data. And to ensure that cybercriminals can’t use any credentials they do get their hands on, you should consider implementing multi-factor authentication or a privileged access management solution that regularly auto-rotates credentials.
New York City Law Department
In June, New York City’s Law Department fell victim to a cyberattack that granted attackers access to sensitive information including the personal data of thousands of city employees, evidence of police misconduct, medical records for plaintiffs, and the identities of children charged with serious crimes. And all that data was compromised using a single employee’s stolen email account password.
Attorneys from the NYC Law Department were unable to remotely access electronic files for weeks after the incident, causing major delays in many cases as attorneys were unable to prepare depositions, answer complaints or submit briefs.
The Department faced wide criticism following the breach as, had they complied with an April 2019 directive by New York’s Cyber Command that all agencies implement multi-factor authentication, it may never have occurred.
In a statement, City Hall spokeswoman Feyer described the “lack of compliance with city IT standards” as “unacceptable.”
Since then, MFA has been rolled out amongst all Law Department employees.
The final breach on our list was suffered by hosting company GoDaddy. In November, GoDaddy reported a security breach that compromised the accounts of more than a million of its WordPress customers. The attacker gained unauthorized access to GoDaddy’s Managed WordPress hosting environment using a compromised password to hack into the provisioning system in the company’s legacy code for Managed WordPress.
The breach exposed the email addresses and customer numbers of 1.2 million customers, as well as some customers’ SSL private keys and the original WordPress Admin passwords set at the time of provisioning. GoDaddy have since reset these passwords and the affected SSL certificates.
The cybercriminal had access to GoDaddy’s systems for over two months before they were detected and their access blocked.
While it’s important to implement measures to help prevent a breach from occurring in the first place, it’s likely that your organization will experience such an incident at some point, no matter how strong your security protocols are. After all, it only takes one user to click on a phishing link for an attacker to be able to access all of your company’s systems. So, it’s vital that you create a strong incident response plan—and regularly drill your plan—to help minimize the damage an attacker can do when they do infiltrate your systems.
To help you put this plan together, check out our guide on how to respond to a data breach.
Have Your Credentials Been Breached?
If you use any of the services listed above, we recommend that you check whether any of your credentials—or your organization’s credentials—have been compromised using a tool like haveibeenpwned.com. If they have, change those passwords immediately to mitigate the threats of account takeover and data loss. You should carry out a check like this regularly to mitigate the risk of using stagnant credentials, which enable hackers to carry out repeat attacks and cause more damage by logging into an account more than once.
How To Stop Password Breaches
As highlighted by these examples, password breaches and other credential-related attacks can have disastrous consequences, not only for your organization directly but also for the customers that are trusting you to keep their data safe.
One of the best ways to protect your organization against password hacks is by implementing multi-factor authentication (MFA), which requires users to verify their identifies via two or more ways before being granted access to an application or system. This means that an attacker can’t access your users’ accounts by correctly guessing or stealing their passwords, as they won’t be able to bypass the other factors of authentication.
In addition to this, we recommend that organizations invest in a business password manager. Password managers store all of a user’s login credentials in a secure, encrypted vault that they can access only by entering their unique decryption key, or “master password”. Because they don’t have to remember all their passwords, users are encouraged to create stronger passwords. These solutions give admins greater visibility into employee password practices, and also enable them to enforce MFA across all corporate accounts by requiring users to sign into their vault via MFA on top of their master password.
But technical support alone isn’t always enough to stop the most sophisticated attacks, particularly if not all of your employees are using the solution properly. For this reason, we also recommend that you train your employees on how to recognize and respond to phishing attacks by implementing an engaging security awareness training solution.
There are a number of products out there to help prevent your organization falling victim to a password breach, but it can be difficult to work out which one best meets your business need. To help you make this decision, we’ve put together guides to the best solutions on the market: