The password attacks of 2023: Lessons learned and next steps – Source: www.bleepingcomputer.com

It should take more than eight characters to bring a business to a halt. However, the relentless onslaught of password-based cyber attacks underscores the alarming ease with which cybercriminals can exploit vulnerable credentials to inflict damage.

Password attacks take many forms: from phishing schemes that dupe employees into handing over their login information, to underground markets where bad actors can sell or purchase stolen credentials.

Either way, having a valid password allows bad actors to do everything from stealing data to taking over critical business systems.

In fact, nearly half (49%) of incidents cited in Verizon’s 2023 Data Breach Investigations Report involved compromised passwords.

Recent examples of password-related cyberattacks

The password attacks of 2023 involved the following high-profile brands:

23andMe

Best known for its genetic testing and ancestry services, 23andMe disclosed that a hacker was offering to sell names, location, and other data that could cover half of its 14 million users.

This incident was attributed to credential stuffing, where guessing login credentials or using credentials stolen from other sources are used to gain unauthorized access.

Norton

It may be known as a provider of antivirus protection, but the vendor found its own security compromised following the discovery of a credential stuffing attack. The incident involved the company’s own Norton Lifelock Password Manager. Norton said the incident involved close to a million customers, of whom 6,500 had data compromised.

Freecycle

In late August, the online charity that helps divert reusable goods from landfills sent out an urgent request asking members to change their passwords.

In an online form, a hacker claimed the breach included up to seven million accounts, with details such as user IDs, e-mails and hashed passwords.

The organization said the attack may have begun years ago when a server was exposed, adding that changing credentials was particularly important if members are using the same ones for other services.

How to recover when password security gets compromised

While the exact steps of a security incident response will vary somewhat depending on the extent of a breach, some of the best practices to minimize the damage include:

1. Issuing a ‘Reset All Passwords’ directive

Blocking access to cybercriminals will prevent further repercussions from the initial breach. This means sending clear communication to all employees and customers to immediately change their passwords. Businesses can simplify this process for their employees through a self-service password reset tool to minimize calls to the helpdesk.

2. Having an incident response team

If you haven’t already walked through the steps to handling a cybersecurity incident, you’ll need to bring the appropriate stakeholders together to develop an action plan. This usually includes the IT department, legal counsel, and even marketing communications teams who’ll inform affected parties. You may also need to bring on third-party help to conduct digital forensics to understand the full scope of the attack’s impact.

3. Notifying those whose personal information has been compromised

Effective data breach disclosure needs to be comprehensive and clear, with next-best steps included. Make sure you’ve compiled answers to the most anticipated questions and provide simple mechanisms where people can contact you for more details. Advise on any recommendations to safeguard information, such as the password reset directive described above.

Password best practices in 2024

Defending your business against password attacks isn’t a matter of reinventing the wheel. Many businesses simply need to apply some of the standard protective measures.

This starts with education. Employees should be regularly trained in password security and informed about the dangers of using the same passwords across multiple services.

Given that cybercriminals may be buying or selling lists of previously compromised credentials, businesses should also build routine monitoring to ensure they’re not at risk.

Tools like Specops Password Policy, which continuously scans your Active Directory for compromised passwords, allows businesses to move from reactive to proactive password security.

Passwords provide a key to some of the most valuable information and systems in the world. With the right technologies and procedures, businesses can improve their ability to ensure those keys don’t fall into the wrong hands.

Sponsored and written by Specops Software.