I recently received an email that notified me of a forced password reset for one of my online accounts due to the AdultFriendFinder breach. I DON’T have an AdultFriendFinder account and have never used that site, but because of the reuse of passwords across multiple sites, a breach for one company creates a domino effect for other companies.
How many of your users are using insecure and compromised passwords? You may have a standard password strength meter on your site so you may think that your users have secure passwords. Think again. Password strength meters and password complexity requirements are simply not enough.
Billions of user credentials (usernames and passwords) have been exposed publicly over the last few years. The natural question that comes up is “what do cybercriminals do with these stolen credentials?” Well, apart from using them to attempt logins to the breached website itself, the second most common thing cybercriminals will do with stolen credentials is to use them in an attack called “credential stuffing.”
Back in August, a hacker named peace_of_mind claimed to be selling a database containing credentials for 200 million Yahoo accounts.
At the time Yahoo indicated they were investigating the matter, but could not confirm.
Today, Yahoo confirmed that 500 million accounts were compromised in what we believe is the largest known data breach in history.