Story image

Experts comment on record 772mil-user data breach

21 Jan 2019

Cybersecurity expert and founder of website Have I Been Pwned Troy Hunt broke the news recently that the largest ever database of breached login details have been leaked on the dark web.

Dubbed “Collection #1”, the data set contains emails and passwords with over a billion unique combinations of email addresses and passwords.

In total, the unique email addresses compromised in the data breach came up to over 772 million.

Users can check Hunt’s website, Have I Been Pwned, to see if their email address and associated password have been compromised in the data dump.

The data breach appears to have been retrieved from a collection number of different sources.

McAfee Asia-Pacific chief technology officer Ian Yip says, “This incident is somewhat unsurprising, given the number of attacks we’ve seen hit Australian businesses, employees and everyday people over the last couple of weeks.

“Hundreds of millions of people are still at risk of a multitude of vulnerabilities, which can be exploited by sophisticated cybercriminals who are driven by monetary gain.

"It’s prudent for citizens to act fast and defend themselves. With such a high volume of personal data being discovered, nobody can assume they haven’t themselves fallen victim.

"As an immediate next step, passwords need to be changed. If you have the same password across any account, device or app you need to make every single one unique, strong and never re-use it again. A password manager is a great option if you want to do this quickly.

"Once your password is in the hands of a cybercriminal, they can gain access to personal and even financial information by painting a ‘picture’ of you. This is yet another alarming wake-up call for people who do not place importance on their online privacy, security and data protection. Cyber resilience must remain a high priority goal for organisations and citizens.”

OneSpan security solutions director and security evangelist Will LaSala says, “This is a colossal breach. Those impacted should act fast to change any reused passwords, as the exposed credentials can be used by criminals in credential stuffing attacks to cause maximum damage across multiple other accounts.

“And with criminals trading assets in underground forums, data from this breach could easily be cross-referenced with information lying elsewhere to bypass authentication. For the more high-risk accounts like banking accounts, this poses a very real fraud threat.

“If this doesn’t highlight the need for security reach beyond the password, then not much else will. We should know by now that using a combination of multiple, layered authentication technologies gives companies, and users, the best chance.

“Banks especially should be upgrading their authentication procedures to more intelligent methods to mitigate the fraud risk in the aftermath of attacks such as this. This technology should combine multiple authentication techniques, whether that’s fingerprints, behavioural biometrics or one-time passwords.

Callsign CMO and go-to-market strategy head Sarah Whipp says this case is just another example in a long list of hacks which prove that outdated password is no longer fit for purpose.

“The Collection #1 database is just another nail in the coffin for the traditional password. Not even a ‘strong’ password can keep your data safe if it’s freely available on the dark web.

“While we have come on leaps and bounds in terms of biometric authentication technology which has helped improve the protection of our identities online, the ability to collect sufficient biometric data tends to be quite difficult and consequently, it is also not 100% secure.

Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.