2019 has been full of high-profile data breaches that have exposed credentials and personal data from millions of people and companies. And while many of these are ‘new releases’ that have stemmed from new cyberattacks, others are ‘compilations’ of records harvested over a far longer period and dumped onto the darknet for threat actors to purchase and exploit.
Breaches by the Billion
The first of these was picked up in January across the worldwide news media: the so-called Collection #1 leak, containing approximately 770 million credentials. In February, The Register reported on an equally enormous compendium being offered for sale in exchange for $20,000 in bitcoin. This comprised 16 different leaks totalling 620 million compromised accounts including Dubsmash, MyFitnessPal and MyHeritage.
A month later we witnessed the Verifications.io data breach, one of the biggest ever involving 760 million emails and other personal data. This one was discovered by a whitehat researcher but may already have been compromised by other less scrupulous individuals.
More than 2 billion accounts in the first three months of this year… and those are just the ones that made the news. By increasing visibility into the wider threat landscape using threat intelligence you start to see the scale of the issue.
The economics of Credential Theft
All breaches of personal credentials have an impact, not just the ‘full credentials’ exploits that include both email address and password. The latter is more valuable to cybercriminals, particularly if they can gain access to those accounts without other authentication processes in place.
However, an email address without a password still represents a considerable risk as it validates the existence of real emails that are (in all probability) still in use by employees of a given organization. This exposure makes it far more likely for the individuals affected to suffer many different attempts to steal their password/s or infect their computer/device with malware-embedded malicious files.
Having ‘only’ email addresses exposed is no small matter for organizations. Each new data leak compounds an organization’s risk because it offers new opportunities for attackers to compromise their systems.
Blueliv gathers darknet-based intelligence, and one of the most striking patterns we see is the value placed on the ‘freshest’ exposed credentials. Attackers place limited value on stolen credentials that are out of date; part of the reason why the blackmarket selling price for access to the Collection #1 data dump is less than $50. Conversely, breaches of the most freshly compromised credentials are less likely to have been detected by the organization affected – so are worth the most.
Fresh Intelligence is Valuable Intelligence
Freshness counts when it comes to the mitigation of risks too. By fresh, we mean as close to real-time as possible rather than weeks or months old. Threat intelligence is not worthy of the name if you can’t reliably act upon it; you need the most up-to-date information to help prevent possible targeted attacks against your organization.
The prices paid for exposed credentials on the darknet and elsewhere are a fraction of their financial impact on individuals and organizations. Once news of a company’s data breach gets into the public domain, wider user trust begins to decrease, impacting revenues, frightening off potential new customers and hitting the share price.
In fact, this year’s data breach-related costs to companies is estimated at $3 trillion, and could hit $5 trillion a year by 2024. Company devaluations are a big part of that total as illustrated by Yahoo’s sale to Verizon Communications, which was discounted by $350m in the wake of the search engine giant’s 2017 data breach.
Public Entities Exposed
Outside of the corporate world, official public entities have also continued to be targeted in 2019. These include major breaches at the Bulgarian National Revenue Agency (NRA) and the Russian FSB (Russia’s federal security agency).
The NRA attack involved data on every working adult in the country, including emails, passwords, electronic certificates, names, addresses and national identification numbers – all exposed online. While all fairly low-level on the face of it (i.e. not bank information or credit card details) this information could easily be a starting point to impersonate, steal or commit many kinds of fraud against individuals or organizations.
Little is officially known about the FSB leak, other than it is apparently its largest ever data breach totalling 7.5TB of stolen information. The hack came via one of its contractors and exposed details of surveillance projects like deanonymizing Tor, and a scheme to isolate Russia’s internet from the outside world.
Both go to show that even large organizations dealing in very sensitive data are vulnerable to threats from all quarters.
Ownership and Responsibility
The conclusion from all of this is that, while it’s important to have a strong password, it is not enough as our privacy can be compromised because of the lack of security or misconfiguration of applications and internal networks at the companies we entrust with our data. Users should be more aware about their privacy and the data they share with companies, and take care to enable two-factor authentication when available, and use long random passwords containing letters, numbers and special characters. Organizations must also exercise more caution with the sensitive data they’re handling from their customers and about their own staff.
It’s every company’s duty to protect the data they’re handling by taking the necessary security measures, and helping their customers, users and employees protect against potential threats.
At Blueliv we work to provide the freshest and most comprehensive threat intelligence to ensure everyone’s privacy keeps private and help organizations minimize the impact of any exposed data by directing a fast, decisive and targeted response.