With the number of breaches growing, the reality is that they are inevitable. Since 2013, over 5 trillion user records have been stolen. Therefore, they weren't covered by the new encryption. It is possible that their failure to disclose the first hack meant users didn't change their passwords to take advantage of the additional security measures. However, not all stolen passwords were protected in the 2014 hack. In the case of Yahoo!, after their first hack in 2013, they began hashing and salting their passwords using the Bcrypt method. Any motivated hacker looking to turn a quick profit simply had to load the hashed passwords into an app to reverse them and sell them. Of the 165 million passwords stolen from LinkedIn in 2012, 71% of them were hashed but not salted. Just how prevalent is this kind of mishandling of user data? This oversight made it ridiculously easy for hackers to reverse engineer passwords to gain access. But it fell short of adequate protection by failing to salt the passwords. To its credit, the Friend Finder network employed the use of SHA1 hashing to protect user passwords. The fallout was even bigger than originally thought, because millions of users used the same password on multiple sites, making it easy for hackers to breach those as well. This major cyber security faux pas left them susceptible to attacks. This added security is incredibly straightforward to implement, but it's alarming to think that more companies aren't using it.įor Rambler, the so-called Yahoo! of Russia, user passwords weren't even hashed-they were stored in plain-text. Hashing is necessary, but for lost data to be rendered useless, passwords also need to be salted.Īdding a salt string to passwords ensures a unique hash is stored. Storing passwords in a form other than plain-text adds an extra level of security to user data. On the contrary, it appears that breaches are growing worse over time as user data is consolidated in increasingly large web repositories, attackers become more sophisticated, and as large corporations remain slow to implement better security. What's most concerning is that the trend does not appear to be abating or slowing over time. Sony Online Entertainment: 102 million accounts (2011).Heartland Payment Systems: 130 million accounts (2008).Friend Finder Network: 412 million accounts (2016).By not taking care of this very simple security precaution, companies leave themselves, and their users, vulnerable to attack. The biggest mistake most companies make? Storing passwords without hashing and salting them. For example, it took Yahoo!, until December 2016 to report that 1.5 billion user accounts had been hacked-and that breach occurred all the way back in back in 2013. Reporting is in some ways a lagging indicator. While a total of 974 publicly disclosed data breaches may make 2016 sound like a hallmark year for data breaches, it gets worse when you realize how many organizations may not even know they were hacked.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |