A few days ago another huge data set with stolen user data was published on the Internet. Over 773 million e-mail addresses and over 21 million passwords are said to have been published in plain text – thus opening the way to sensitive data.
And things like that happen more and more often: Login data is stolen and published or traded in the Darknet – for private accounts as well as for company accounts. Since companies cannot fully ensure that their employees choose secure and unique passwords, they should use technologies that monitor credentials and detect abuses and resulting risks in a timely manner. Often users notice far too late that their accounts have been hacked and that sensitive data became freely accessible as a result. We’ll tell you how you can protect your company.
The most recent incident: Collection #1
“Collection #1” – under this name a record was published in the net, which supposedly contains huge amounts of e-mail addresses and passwords from many individual data thefts. About 87 gigabytes worth. In the data it becomes clear from which source the data originated, but not easily when the data theft took place and by whom.
To find out if your user data is affected, you can visit the website https://haveibeenpwned.com/ by Troy Hunt, IT security expert and Microsoft Regional Director in Australia. If an address has already been affected by an older data theft, it will also be reported.
Affected users should definitely reset their password and create a new, secure one. Otherwise, others may gain access to third party accounts, misuse the sensitive data and lock the actual user out of the account.
Password assignment: Balancing comfort and safety
When it comes to passwords, users are in a dilemma: On the one hand, the passwords should be secure. After all, they are the key to sensitive data and should therefore meet high security requirements and ideally vary for each portal. Otherwise, compromised user data will open the way not only to one account, but to several. On the other hand, users must also be able to remember passwords easily. Otherwise, it is difficult to keep track of the large number of portals and platforms for which you have to remember access data.
The following criteria should be considered when assigning passwords:
- At least eight characters
- Combination of small and capital letters, numbers and special characters
- Individual passwords for each portal
- Regular password updates
This seems practically impossible. Because who can really remember so many complex passwords? But there are several alternatives that help the users:
- A password system can help to remember many different passwords: For this purpose, users must consider a standard password, which is supplemented by a component related to the respective portal.
- Multifactor authentication significantly increases account security by requiring a password and another factor for access: for example, a code sent by SMS or a biometric feature.
- Alternatively, users can use a reputable password manager such as 1password or Keepass, which collects all passwords and can even create secure, complex passwords. The user then only has to remember a single password – the password for the password manager. That one however should be very, very safe!
What can companies do to protect their employees’ accounts and sensitive data?
Companies should use solutions that monitor their employees’ login data and immediately secure their accounts in the event of theft or data disclosure. The SpyCloud solution makes this possible.
SpyCloud compares employee user data with user data disseminated and traded on the Web and Darknet. SpyCloud uses known public reports as well as private and covert sources, automatic scanners and human intelligence.
As soon as SpyCloud detects a match between login data and stolen data, a password reset is performed on the affected account – as well as on all accounts that use the same user data. The user and IT are immediately informed of the incident and the user is requested to assign a new, secure password. At that point a comparison with the password history takes place, so that already used access data cannot be used again in a similar form. This way, sensitive company data and users are reliably protected and a potentially high economic and image damage is averted.