No Password Equals No protection

Cupid Media stored over 42 million user passwords in plaintext. The attackers who targeted their database must have been very happy to had found this trove.

The parent company of New York Sports Clubs made a similar security lapse. No password was set on their unprotected server, which meant that personal customer records and financial records were up for grabs for anyone smelling blood.

New York University left unprotected a backup drive that carried information on a confidential encryption-breaking program that have some military/intelligence backing.

Apparently, flawed security settings were installed during their initial setup. Regardless of the reasons for this poor password management, it comes off as shocking that an international organization of such magnitude did not have recourse to a password vault or two-factor authentication. 

 Weak Password Protection

 A Verizon study from 2018 established the correlation between weak/default/stolen passwords and data breaches, the statistical result of which (81%) confirmed that many data breaches happen due to such passwords. 

Australian government officials were apparently negligent of their duties to use strong credentials to access information assets in government agencies. They utilized generic logins (e.g., “abcd1234”) and passwords (like “password123”) instead.

According to a report published by the Seattle-based security specialist WatchGuard, half of all passwords associated with .GOV and .MIL email addresses were so weak – “123456,” “password,” “linkedin,” “sunshine,” and “12345678”, to mention a few – that they were hacked within two days.

In the Ashley Madison data breach, credentials of government and military employees were exposed again but for entirely different reasons. Passwords and usernames of a total of 32 million users were compromised. Besides that leaked credit card and payment details, Ashley Madison case highlighted other information stolen: real names, real addresses and phone numbers. Read more about this interesting case in “Ashley Madison Revisited: Legal, Business and Security Repercussions.”

412.2 million accounts of members of the dating platform Adult Friend Finder were collected by attackers in October 2016. Because most of the stored passwords were guarded only by the weak SHA-1 hashing algorithm, they were likely exposed before the official news of the incident surfaced on front pages.

In Adobe’s 2013 incident, the security team made three serious mistakes concerning password management:

1)      Using the same key to encrypt every password 2)      Relying on a flawed encryption method known as ECB mode, which makes equal passwords look exactly the same 3)      Not encrypting the password hints 

117 million passwords were compromised in 2012 because of LinkedIn not using random data to make password hashes more resilient to reverse engineering.

Password Reuse

 According to Dodi Glenn, vice president of cyber security at the Iowa’s security software company PC Pitstop, the biggest problem when a credential leakage occurs is the username and password reuse: “With username and password reuse, an individual may use the same e-mail address or username and password on site A that they would use on sites B and C. When site A gets compromised, the hacker uses an underground tool to check other various sites to see if this account login and password combination exists elsewhere.”

Celebgate is a case where some famous users fell prey because of weak passwords, some of which being used across multiple accounts. Drake, Katy Perry and Lana Del Rey are other celebrities that had their Twitter accounts hacked because they were reusing passwords from other websites and services that had been exposed in the past, such as MySpace and LinkedIn. Despite that there were encryption mechanisms in place, they were evidently not good enough to withstand what hackers had to offer.

Dropbox admitted that they became a victim to a massive hack that had taken place in 2012 and resulted in email addresses and hashed passwords of 68,680,741 accounts being stolen. A Dropbox employee who used the same password harvested from another data breach was the point of compromise.

Almost half of U.S. workers use the same passwords for personal and work accounts, and almost 60% respondents to one survey admitted to using the same password everywhere.

It was made known in May 2018 that a glitch in Twitter’s system, where all stored passwords were residing, caused user information to be accessible to the internal network. While this is not tantamount to a breach or misuse of data, it could be seen as a mismanagement concerning password information.

“A chain is only as strong as its weakest link” – you heard that before, right? Unfortunately, even if your company security is a top priority, third-parties you work with may not have the same attitude towards security. Something along these lines happened in the 2013 Target data breach. A third party vendor’s login credentials were sniffed out by a Trojan hiding in their IT infrastructure. As a side note, Home Depot was compromised in almost identical way.

That did not exonerate Target themselves from any responsibility: they should have “at least mandate[d] two-factor authentication to contractors who have internal access to sensitive information,” suggested Chris Poulin, a research strategist for IBM.

Aadhaar number, a unique 12-digit ID that almost every Indian citizen has, is an equivalent more or less to the Social Security Number in the United States, as a lot of personal data – name, address and biometrics, for example – is stored in a government database. For the reason that backdoors can be useful, there exists a portal on the Aadhaar website that can let in anyone having login credential access to the Aadhaar database. While the portal is intended for government officials for the purpose of correcting inaccurate information, rogue agents have been selling access to this portal to anyone willing to pay $5-10.

Key Takeaways

 Do not expect cases of poor password management to vanish any time soon because people generally give priority to convenience over security or are downright careless. Obviously, there are some lessons to be learned from each data breach mentioned here:

Never reuse a password Change your password, especially if you suspect it may have been exposed Enable two-factor authentication Never completely trust service providers Use proper encryption in the password management process

If companies are not willing to apply these measures into their business dealings, they better be ready to pay the price.  

Sources