If your mobile phone or wallet is stolen, you will probably realise straightaway. Then you’ll take immediate action to cancel credit cards and protect personal information from being compromised.
But the theft of logins and passwords from websites may go unnoticed for some time. And it may take longer still for all affected users to get new credentials, creating a golden opportunity for hackers to use the stolen data for cybercrime.
The Data Breach Investigations Report (DBIR), compiled by US telecommunications company Verizon, found that 29% of all breaches involved stolen credentials and 56% took months or longer to discover.
According to one researcher, an astonishing 2.2 billion usernames and associated passwords freely circulate on hacker forums or can be downloaded as data dumps from torrent sites.
The vast majority are of no apparent value because the breach was discovered, often years ago, and the affected users reset their passwords. So, the logins will no longer work to access the site from which they were originally stolen.
But hackers know that people are lazy and will often use the same email address and password to access multiple sites. That’s a significant problem if employees reuse their corporate network password. Or even worse, use their password and business email to sign up for services on popular websites that make tempting targets for data thieves.
The most notorious example was the 2016 breach experienced by the FriendFinder Network, which includes Penthouse.com and other adult websites. The hackers claimed to have stolen 412m user accounts, including names, email addresses and passwords. Details which had been amassed across Friendfinder’s online properties over 20 years.
The same year, Dropbox had to prompt users who had not changed their passwords for several years to do so, following a data breach that exposed 68m user credentials.
Why do hackers want stolen credentials?
Using stolen credentials to enter a website requires much less effort than trying to hack in the hard way; via a “back door” for example. So using stolen credentials has become the most popular hacking method, according to the DBIR report.
If the credentials are for a corporate website, the hackers may be able to access the corporate mail server and use it to mount phishing attacks. Surprisingly, the mail server is the most popular “target” for hackers once they penetrate a corporate network.
That’s because emails that have apparently been sent by a named user in a real organisation are much more likely to be opened, particularly if the recipients are coworkers, customers or suppliers.
Once they have compromised a corporate email account the hackers have a window of opportunity to mount phishing campaigns for as long as the breach goes unfixed. This could be several months.
If the hackers are lucky, the compromised business email account may belong to a corporate officer or someone with the clearance to authorise payments. That opens the door to endless possibilities to extract funds from the targeted business using a variety of scams.
Business Email Compromise (BEC) scams
The most brazen BEC scam is for the fraudster to pretend to be the CEO and direct an employee in the finance department to transfer funds to an external account.
A more subtle BEC variant is for the fraudster to use the compromised email account to identify legitimate suppliers to the company. They then forward an invoice that seems to come from a legitimate supplier, but with the payment details altered to send payment to an account the fraudster controls.
BEC attacks stole around $300m a month from US businesses in 2018, according to the Financial Crimes Enforcement Network, a US government body.
These scams work so well because they rely on social engineering. The user receiving the email will likely know the person who purportedly is sending the request for payment. Therefore they are much less likely to question the transaction.
Have I been hacked?
There are several websites, including haveibeenpwned and the Hasso Plattner Institut, which can tell you if your email address and/or password have been compromised in a data breach. But be prepared for the bad news!
Many popular web services including LinkedIn, Tumblr and ShareThis have suffered data breaches over the years. And if you have had your email address for a long time and are in the habit of using it to access different online services, the chances that it has been stolen multiply.
It’s not just email addresses that are compromised, as names and passwords could also have been exposed, which is more serious.
If your email address is flagged as having been compromised, don’t panic. You do not need to change email address unless you suspect that your email account has been hacked. But you should change the password for the email account and, indeed, for all other user accounts that use this email address.
Reduce the risks of leaked credentials
There are a number of important steps an organisation should take to reduce the risk and impact of leaked credentials:
- Forced password changes: by forcing users to change their passwords regularly, it means leaked passwords will only be of use for a limited time period.
- Two-factor authentication: by requiring users to login using a second factor – such as biometrics, or a one-time-password (OTP) generated via a token – it renders passwords useless on their own.
- Implement the principle of “Least Privileges”: all employees should only have access to the applications and data that they need to carry out their specific roles. Furthermore, no individual should have too much responsibility, e.g. being able to raise, approve and pay purchase requests. By limiting user access and segregating responsibilities it greatly limits the disruption that hackers can cause with stolen credentials.