Over time passwords have become a ubiquitous part of our digital activities. They’re something we expect to create and manage for all of our accounts, and yet with all of our online accounts, having unique passwords can be difficult. Despite this, they remain the most common way of locking unauthorized persons out of our systems and away from our sensitive data. The data held in our digital accounts is of great value to threat actors everywhere. This is why attackers are perfecting their techniques and using sophisticated tactics to conduct account takeover attacks using compromised passwords.
Compromised passwords pose a significant threat to the security of organizations and individuals and as time ticks on, the list of exposed passwords continues to grow at an alarming rate. In fact, according to the Verizon Data Breach report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
The Impact of Compromised Passwords
We’re currently experiencing a data breach epidemic. According to the 2019 MidYear QuickView Data Breach Report, 4.1 million records were compromised in the first six months of 2019. According to Help Net Security, in 2019, a total of 7,098 reported breaches exposed 15.1 billion records.
Compromised passwords are a crucial part of the data breach epidemic. One study found that 90% of respondents have experienced the effects of a data breach resulting from a compromised password. Compromised passwords impact both individuals and organizations, so in this section, we’ll be focusing on both to get a full picture of the true impact.
Reputation and Financial Loss
Threat Actors can potentially gain access to and the organization’s IT systems and steal sensitive data by utilizing compromised passwords. Even if they don’t use a compromised password to gain access to the system, they can often come away with many thousands or millions of these passwords after a successful data breach. This can have a significant impact on a company’s reputation and result in major financial loss, both in terms of fixing the damage and in the loss of future revenue.
The financial impact of a data breach due to compromised passwords can devastate companies of all sizes but can be particularly severe for small and medium-sized businesses (SMEs). SMEs are often less likely to have robust cybersecurity policies that protect against the use of already compromised passwords and they are also less likely to believe their company will be on the radar for Threat Actors. According to the IBM Cost of a Data Breach Report, the average total cost of a data breach globally is USD 3.92 million. However, the US is the most expensive country to have a data breach, where the average cost rises to USD 8.19 million.
Loss of Data
According to the same IBM report, 25,575 records on average are lost in a data breach. Once this data is out there it’s incredibly difficult (if not impossible) to regain control of it.
Recent Examples of Prominent Data Breaches Involving Exposed Passwords
- In February 2018 Under Armour’s popular fitness app MyFitnessPal was breached, resulting in 150 million usernames, email addresses, and passwords being exposed.
- In October 2016 the FriendFinder Network, a network dedicated to adult content and communication services was targeted by Threat Actors. In the attack, more than 412.2 million accounts were exposed and names, email addresses, and passwords were put in the hands of Threat Actors. The exposed passwords were protected using the notoriously weak SHA-1 hashing algorithm which meant that the vast majority of passwords were cracked in very little time.
- In 2016, Uber was hit with a data breach that exposed over 57 million user and driver records. Threat Actors were able to gain access to these records by gaining access to Uber’s GitHub account, where they then found the username and password for Uber’s AWS account. So, in this case, according to CSO Online, a compromised password directly led to millions of user records being exposed.
The Growing Threat and Looking to The Future
While passwords remain a popular way of securing data, they are far from perfect.
“The password is by far the weakest link in cybersecurity today.” Michael Chertoff, former head of Homeland Security
This has led some security professionals to suggest other ways of securing our data, some of which are gaining traction. Fingerprint, Iris, or other biometric readers are becoming more common, as are persona-based authentication methods (relying on your online behavior and geographical location), and authentication keys. However, none of these options have managed to replace the traditional password and each comes with their own pros and cons.
Organizations cannot move away from the password anytime soon because of all the new authentication methods, the password is still the back-up factor and there is not a ubiquitously trusted alternative yet. This means we’re forced to come up with new and creative ways to defend our data while using passwords. Exposed password screening and compromised credential screening is starting to become more widely used due to its ability to alert users when their password has been exposed and is therefore no longer safe to use.