As news of the DailyMotion breach arrived, IT professionals expressed concerns over password reuse attacks. Around 18 million hashed passwords were stolen along with 85 million user accounts in a breach on the popular video hosting service in late October.
The breach wasn't revealed until earlier this week, when LeakedSource.com, a breach notification site, published the details.
The fact that those 18 million passwords were hashed with bcrypt, a notably formidable security measure which will make the thieves attempt to decrypt those passwords both harder and slower. It will not however, stop those passwords from being decrypted.
It appeared to remind IT security professionals of the fatal mistake made time and time again: password reuse.
Mark James, IT security specialist at ESET offered some advice to SC. If you had the misfortune of owning one of those breached accounts, you should change your password immediately, “if you have used that same password on any other site then change those immediately”.
James added, Without further information about what was or was not stolen we won't know the extent of the damage, but needless to say more data being added to your already overflowing online profile floating around the web is not good for any of us.”
Whether its executives using the same password for their email as their Ashley Madison accounts or teenagers using the same login for YouTube and Last.fm, this all too common practice can make one isolated breach, become several.
As with all human security weaknesses, there is no silver bullet for this problem. After all, there are no AV solutions for the human brain. So is there a proactive stance that enterprises can take to avoid this kind of human folly?
LeakedSource, for example, holds the breached data too. Breach notification sites could be a great resource in revealing employee mistakes. John Bambenek, threat intelligence manager at Fidelis Cybersecurity told SC that enterprises should take full advantage, searching ”these dumps for matches on their employees – and especially on corporate email addresses – and work with those employees to ensure their corporate account credentials are not identical to the ones used here.”
There may be privacy concerns here. After all, if someone used a business email to sign up for the recently breached AdultFriendFinder.com, then that will be at the very least, an uncomfortable conversation with the offending employee. Vince Warrington, cyber-security lead at the Financial Conduct Authority told SC “the email address belongs to the business, not the individual so I can't see there being any real privacy issues.”
“If businesses don't want employees to sign up to social media sites and the like using company credentials, I would suggest that they make everyone aware that they can monitor their email use, and that it's not a wise move.”
Education can suffer from the law of diminishing returns, added Warrington: “My feeling is that ‘password fatigue' is quite real, and the more we tell people to change their passwords, the less likely they are to do so.”
“Perhaps the solution is not to correct human folly, but a fallible piece of technology. The real lesson for businesses in the spate of ‘credential re-use' attacks is that the username/password combination is no longer a sufficient means of identification. I would suggest that using at least two-factor authentication is where businesses should be heading, as this will significantly reduce the risk of credentials stolen from, say, Dailymotion being used to gain access to corporate networks,” Warrington concluded.