Last month, our January 2019 newsletter article opened with a statement on how we anticipate the news of data breaches to dominate the headlines in 2019. Just over 2 weeks into the year, we began posting about the availability of “Collection #1,” a trove of personal data that had been cobbled together from numerous other data breaches.
Was this collection really a ‘megabreach?’ And what lessons can be learned from this, to apply to your business?
This “collection” started with over 773 MILLION email addresses and passwords, but within weeks bloomed to over 2.2 BILLION records. A story in The Guardian dubbed the 87GB file “the largest collection ever of breached data found.” By the way, this collection could be purchased for the cheap price of $45!
However, was this “megabreach” a bit misreported? It’s since come out that this collection is not even close to the largest gathering of stolen data, and that the majority of the data is at least two to three years old. First revealed by the HaveIBeenPwned breach notification service, it seems the data cache was likely “made up of many different individual data breaches from literally thousands of different sources.” Also, the data is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.
The picture above shows a screenshot of the seller’s current offerings as of late January on the Dark Web – you can see the 87GB “collection #1” is just a small part of the available 1TB of stolen data. This particular database was just a collection of dumps and leaked bases, primarily around 2-3 years ago. When searching this database for specific data, we found much of the particular info we looked at came from the well publicized LinkedIn and Dropbox breaches (2016 and 2012, respectively). However, there’s still “somewhere in the order of 140million email addresses in this breach that have never seen before. Those email addresses could come from one large unreported data breach, many smaller ones, or a combination of both.”
So, what does all this mean – specifically for a business owner or manager?
Although over 90% of this “Collection #1” data was old, it highlights the problem that often, by the time you’ve found out about a breach – it’s too late. Most of the Collection #1 data has been available for years now. It’s an unfortunate fact that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when they are available.
If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless, of course, you’re in the habit of re-using passwords, which we highly encourage you NOT to do. As we can see from the Collection #1 offering ($45!), your password is probably worth way more to you than it is to cybercriminals (just .000002 cents per password).
For most of us, one of the most important passwords are those protecting our email inbox(es). That’s because in nearly all cases, the person who is in control of that email address can reset the password of any services or accounts tied to that email address – merely by requesting a password reset link via email. The above graphic gives some ideas of what is possible with a hacked email address. What other important passwords can you think of? Quickbooks, a medical EHR, company software, domain admins, etc.?
More than half (54%) of companies plan on increasing IT security spending in 2019, according to an eSecurityPlanet.com. What are you doing to manage data security for your business? Not only is this getting harder and harder, but it’s demanding attention in new areas.
Dark Web monitoring, anti-phishing services, security perimeter management, vulnerability and penetration testing – these are just a few of our services designed to combat this. Give us a call today to see where you can improve your company’s security!