MySpace, Tumblr, and LinkedIn are all currently grabbing headlines for data breaches that happened years ago and have only now come to light:
- 167 million LinkedIn IDs are only now being traded online, despite the breach occurring in 2012. LinkedIn reported the breach in 2012, but the current online trading of that information has revealed the extent of the breach. Many of the passwords were cracked within hours. LinkedIn responded by invalidating all at-risk passwords.
- On May 12, Tumblr revealed that a 2013 data breach affected a “set” of user email addresses and passwords. An independent analysis revealed that over 65 million users were affected by the breach, with the data set being sold online (possibly with insufficient password storage).
- A 2013 hack at MySpace breached over 360 million accounts, including email addresses and multiple passwords. The actual number of passwords breached is 427 million. Many passwords have already been cracked.
These three are not the only ones coming to light, with another breach from 2011 at Fling affecting 40 million records. In a very short span of time, you can see that more than half a billion passwords were affected in the combination of these breaches, all from several years ago. These breaches still have the potential to wreak havoc both at the individual and the corporate levels.
— Absolute (@absolutecorp) June 15, 2016
Although passwords in many of these cases had some level of protection, it’s clear that such protection has been inadequate. Passwords are being cracked quite easily, revealing a huge database of very common passwords still being chosen (things like 12345 or p@ssword). From a corporate perspective, aside from reminding us of the importance of adequate data storage and protections and password authentication methods, these breaches show the pervasiveness of the insider threat. Employee password practices, inadvertently or without their knowledge, are putting corporate data at risk.
Let’s make it clear: how many of you looked at these major data breaches and forced a password reset within your organization? Password reuse is far more prevalent and worrisome than you think, so when a password is compromised, it’s pretty likely it can be used to “unlock” access to other accounts, whether they are additional websites or even your corporate network. Even a “strong” password becomes a moot point if it’s used across multiple sites and one of those sites is compromised. Forced passwords on their own can lead to additional password reuse (from fatigue), so perhaps consider it a good time to recommend a password manager to all employees (or better yet, supply it).
The insider threat is frightening because an outsider using insider credentials has the potential to do significant damage to your business. The average cost of a data breach has been on the rise for many years, but now organizations are facing heavier compliance fines, years of oversight from regulatory bodies, class action lawsuits, and personal liability.
The insider threat comes in all shapes and sizes, that’s why successful detection relies on your ability to identify the threat. Absolute Data & Device Security (DDS) helps you identify potential security threats and respond rapidly before they become damaging security incidents. Learn more at Absolute.com