Expert comment: What the Collection #2-5 data dump means for credential abuse
FYI, this story is more than a year old
Last week, a second major data dump hit the dark web in two weeks, compromising of 2.2 billion unique usernames and passwords.
The data dump was dubbed Collection #2-5 and contained 845GB of data and over 25 billion unique records.
Users can go to the Hasso Plattner Info Leak Checker to see if their email details and credentials have been compromised in the latest data dump.
Here is what security experts and executives had to say about the data leak, the implications on phishing and credential stuffing, and how password hygiene needs to improve drastically moving forward.
LastPass CTO Sandor Palfy
The colossal volume of data leaked in the Collection #2-5 data dump makes Collection #1 now seem a drop in the ocean by comparison.
These data dumps highlight the critical need for good password practices.
Weak, reused and compromised passwords are frequently the cause behind many breaches, yet people continue to display risky password behaviour.
Our recent Psychology of Passwords survey revealed that 91% knew that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so.
If longer and more complex passwords are used, then they become harder to crack.
It’s crucial that people create a unique, strong password that hasn’t been used on other online accounts, for every online account they have.
If you use the same password for multiple sites, and one site is breached and your password is cracked, attackers will go after your other accounts, more important accounts, likely even before you learn about the breach.
Even if a password is brute-forced, the damage is less if it’s unique, as the impact will be limited to that account alone.
It’s also worth turning on two-factor authentication where possible as this adds an additional layer of protection that will ensure an attacker won’t be able to access an account even if they do obtain the password.
The extensive impact of weak and reused passwords can no longer be ignored and these data leaks should serve as a wake-up call to all of us – businesses and consumers alike.
Terry Ray, senior vice president and Imperva fellow
This collection of credentials gives cybercriminals the ammo needed to attempt credential stuffing, password guessing and other iterative processes at account takeover, which is essentially giving cyber attackers a key to your front door.
Armed with the recent and past credentials, hackers could access consumers’ data, troll social media platforms to spread propaganda, cash in on hard-earned airline miles, sell contact data to spammers and even access bank accounts.
To make matters worse, if consumers reused passwords at work, hackers would breaking into enterprise infrastructures to steal corporate data costing businesses millions in damages if that data were to get into the wrong hands.
This is why it is critical that consumers never reuse passwords across different accounts they hold, but also change these passwords consistently and set up dual-factor authentication to better protect themselves.
Businesses should be extra vigilant over the next few weeks as these credentials make their rounds through the dark channels.
Post credential leak, account takeover attempts have historically spiked immediately following incidents like this.
Successful logins using these credentials are difficult to identify, though technology does exist assist IT Security teams.
Most teams assume that they won’t be able to prevent every attempt and instead focus their security around their most critical data assets, by monitoring all activity to those resources and flagging or preventing unusual access internally.
These changes the threat from one of identifying the wrong person using the right credentials, to a threat of the right credential doing very unusual things which is easier to detect and differentiate from previous modelled behaviour.
SailPoint CMO Juliette Rizkallah
The latest mega breach of billions of records is a hard-learned lesson that good password hygiene is paramount, and more needs to be done to ensure proper password management.
80% of SailPoint Market Pulse Survey’s Australian respondents admitted to reusing passwords across accounts, both work and personal.
This is a needless risk as we continue to learn that the impact of old breaches lingers and newer threats like credential stuffing give hackers a new way to take advantage of users who don’t follow password best practices.
While people cannot protect data that has already been compromised, they can certainly take steps now to protect their sensitive information from being affected again.
Select longer and more complex passwords and add special and mixed case characters.
Be unique and never use the same password across different websites.
Finally, just watch the road. Always be aware of where you are on the Internet and take specific note of anything and anybody that asks you to ‘login’ or provide any ‘secrets’ or personal information.”
Digital Guardian cybersecurity vice president Tim Bandos
In situations like this, the practice of good password hygiene becomes critical otherwise you’re putting sensitive accounts and credentials at risk.
We know that in addition to credit cards, email addresses and PII, password credentials are highly sought-after by cybercriminals – so use a different password for each of your online accounts.
Consider using a password manager.
There are a number of easy-to-use password apps out there, many of which are free.
Make sure your passwords are unique and complex to ensure that hackers cannot guess them. If you’re notified that your account has been compromised, change your password immediately.
Lastly, where possible, enable multi-factor authentication.
Popular websites like Facebook, Gmail and Skype all offer this service.
Rich Campagna, CMO, Bitglass
Acquiring credentials to access sensitive data is increasingly easy and incredibly lucrative for today's hackers, and allowing the exposure of 2.2 billion records to the public internet is a significant offense by the organisation.
Leaked credentials leave individuals vulnerable to account hijacking across all services where they recycle their usernames and passwords.
Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk.
Enterprises must follow best practices in authenticating users, starting with a proactive approach to identifying suspicious logins.
Security technologies like data loss prevention (DLP), multi-factor authentication (MFA), and data encryption are much more effective than basic password protection.”
OneSpan innovation centre chief security architect Steven Murdoch
This password leak shows that large quantities of stolen passwords are readily available to anyone, regardless of how low their budget.
However, data from recent breaches will be considerably more expensive to obtain.
Companies should recognise the limitations of password authentication and are in the best position to mitigate the weaknesses. They should implement additional measures, such as the detection of suspicious behaviour.
Two-factor authentication, or even better, FIDO/U2F, should be offered to customers. Customers can also help by not re-using passwords across multiple sites and using a password manager if needed.
The website TwoFactorAuth.org gives instructions on how to enable two-factor authentication on many popular sites, as enabling 2FA, and preferably FIDO/U2F, will significantly help to improve their security.