August 9, 2016
Recently, the chief executives of Facebook, Google and Twitter all had their email accounts hacked. They regained control of their accounts within hours but many others — especially those who re-use passwords — haven’t been so lucky. Hackers can use software that gleans new passwords from old ones, and nearly two billion old passwords are for sale for as little as $2 on LeakedSource, a database operated anonymously. The pattern of re-using corporate passwords on LinkedIn and other sites is a growing concern.
The Wall Street Journal reports that “investigators estimate that maybe up to 8 percent of the LinkedIn usernames and passwords will work on other services.” LinkedIn, which is being acquired by Microsoft for $26.2 billion, fixed a security breach in 2012 and reset its users’ passwords.
Online backup service company Carbonite similarly reset the passwords for each of its 1.5 million customers. The company also “analyzed the hacked data and required customers whose credentials appeared in the database to confirm their identities in order to access their accounts.”
But resetting customers’ passwords can have blowback. “If they change passwords for their users, no matter how well they explain it, the perception may be completely off,” said Hold Security founder/chief information officer Alex Holden, whose company aids in identifying stolen credentials on hacking sites. “If even 0.1 percent of these users panic and they have to call customer service in one day, it creates a nightmare.”
Carbonite exec Norman Guadagno said the company was forced to act. “When you have a Carbonite account — or any backup service — and you have the username or password to that account, you have access to everything,” he said.
Other companies follow a different path. Twitter, Facebook, and Yahoo among others analyzed stolen credentials and “then urged or forced affected users to reset their passwords.” Last week, when Yahoo’s security unit learned of a report that 200 million of its user names/passwords were for sale in hacker forums, the company focused on determining the veracity of that report, first by examining the LinkedIn database, decoding names and passwords and looking for matches with Yahoo users. Eight days later, Yahoo emailed “an undisclosed number of affected users” to tell them to reset their passwords.
Yahoo chief information officer Bob Lord said, “the abuse of the data seems to be on the rise.” Microsoft researcher Cormac Herley said the news is worrisome. “It could be that some third party has a breach and I’m essentially hostage to whether my employees reused passwords,” he said.