Earlier today, news broke that unknown activists have posted nearly 25,000 credentials belonging to the National Institutes of Health, the World Health Organization, the Gates Foundation and other organizations engaged in the fight against the coronavirus pandemic. According to Souad Mekhennet and Craig Timberg at the Washington Post, “The lists, whose origins are unclear, appear to have first been posted to 4chan, a message board notorious for its hateful and extreme political commentary, and later to Pastebin, a text storage site, to Twitter and to far-right extremist channels on Telegram, a messaging app.”
This shows how quickly compromised credentials can be shared and utilized by various groups with malicious intent. Almost immediately following the release of the information, extremist groups began using them to attempt to hack and harass the NIH, WHO, CDC and other organizations.
There is some good news, however. We ran many of the dumped emails and passwords through our proprietary live database of exposed credentials, and it appears that they were all from prior breaches with the 2016 LinkedIn attack the primary source. While it’s encouraging to know that the affected organizations are not grappling with any new hack on top of the unprecedented circumstances afforded by COVID-19, this situation nevertheless underscores how critical it is that companies continually screen employee accounts and credentials.
As we’ve written about numerous times before, password reuse is an incredibly common and serious security problem. Researchers from Virginia Tech University found that over 70% of users employed a compromised password for other accounts up to a year after it was initially leaked, with 40% reusing passwords which were leaked over three years ago.
It’s too soon to say whether and how much this may factor into the challenges facing the organizations targeted in this latest credential dump. What is clear, however, is that data breaches are a reality of modern life and it’s highly likely that a credential that was once secure could become exposed down the road.
That’s why NIST recommends that organizations screen passwords not only at their creation, but on a daily basis. Through our continuously updated catalog containing multiple billions of unique exposed user-name and password combinations, Enzoic enables companies to efficiently ensure compliance with this recommendation and safeguard their accounts.
Today’s news is just the latest example that highlights how hackers, extremists and foreign interest groups are capitalizing on security vulnerabilities to advance their agendas and ideas. As the international community continues to combat the coronavirus pandemic and the 2020 presidential race heats up, expect to see more of these stories.
Screening all credentials daily against a live database can make the difference between a successful breach or a thwarted attack.