It may be a good idea to change your password if you have an email account with one of the Big 3 email providers.
News broke last week of a massive data breach involving hundreds of millions of compromised email credentials. A whopping 272.3 million stolen user names and passwords have been released in the criminal underworld, the majority of which belong to Gmail, Hotmail and Yahoo email services, and also the popular Russian email provider Mail.ru, media reports from Thursday, May 5 stated.
If the figure is accurate, it would represent the biggest single data breach since the cyberattacks that hit large US banks and retailers – most notably, Target and Home Depot – in 2014.
The compromised data is still circulating around the criminal underworld, mainly in cybercrime marketplaces based in Eastern Europe, according to media reports. The data stolen from the email providers cannot be found on the open web, however. It’s located on forums found in the deep web, or ‘dark net’, where hackers and cybercriminals go to buy or sell stolen information.
Such a massive data breach could be the prelude to a large-scale phishing attack campaign, where phishing emails are sent to each of the compromised accounts. This means that the risk of financial theft or brand reputation damage could potentially skyrocket in the coming weeks and months.
Companies that do business online should be wary of phishing scammers imitating their brand, either over email or by the creation of a phony website seeking to trick their customers into handing over sensitive data like credit card numbers. Just a handful of people burned by the scam could be enough to do serious and lasting damage to a brand’s reputation.
Leverage the Tools Needed to Protect Your Brand
Some of most sophisticated phishing attacks target organizations and their customers via social media, rogue mobile apps, and fictitious domains. Phishing messages look more like you than ever before, and the more like you that they look, the higher the chance that your customers will fall victim to it and have their sensitive personal information compromised.
What is needed to fend against what will likely lead to a new wave of phishing from this latest data breach is a solution that constantly scans the internet for threats that can harm your organization’s good name, through the monitoring of social media feeds, mobile app stores and domain registrations.
The intelligence gathered by remaining vigilant in the face of cyber-threats will allow you to know when an attack is imminent and to stop it before it’s launched. Further, this intelligence – the result of scrupulous and constants monitoring – can be used to seek out and take down the source of phishing attacks and illegitimate websites masquerading as your business.
But the shockwaves felt from 2016’s largest breach so far could mean more than just a spike in phishing activity. They could have a knock-on effect to social media sites as well, one security analyst warned.
“This could potentially put at risk a lot of other big players like Facebook, Twitter, LinkedIn and Amazon,” said David Castañeda, VP of Research and Development for Easy Solutions.
“Think about how a lot of business streams rely on the fact that your personal email is not compromised – financial, health care, insurance, labor – any type of service where contracts are delivered or negotiated over email. All of these business practices are touched from such massive compromise,” he said.
Castañeda added that the breach was possibly the work of a type of attack known as credential stuffing.
Credential stuffing is a cyberattack involving the automated injection of random username-password combinations in order to fraudulently gain access to user accounts. Large numbers of compromised credentials are automatically entered into the login pages of various websites until they are matched to an existing account, which the attacker can then take control of.
Protecting End-Users From Themselves
Another risk to email security comes from the users – who hackers know frequently recycle their passwords, or who use the same password for different online accounts, and credentials that get stolen can be plugged into other common forums since so many users don't bother changing their passwords for different websites.
This is what makes security that employs two-factor authentication so relevant. If a cybercriminal attempts to access your email from a device that you have never used before, or from a location that you’ve never been, two-factor authentication throws up a barrier preventing them from entering the account, and, in the case online bank accounts, from stealing your money.
There is no doubt that large data breaches will continue, and this latest one shows that phishing is still a valuable commodity for hackers and online criminals. What companies need to do is put in place solutions that make stolen credentials much more difficult to monetize – as with two-factor authentication.
Unlike the first generation of tokens, new factors like Push, device ID, QR codes and biometric security make this kind of protection easier than ever for your customers to adopt.
The tools are there to make breaches a nuisance that can be mitigated, as opposed to a disaster that causes lasting damage. Don’t wait until it’s too late and you are left scrambling to contain the fallout. Do your customers a favor and protect them before the next big data breach.