The Concerning Case of the Underestimated MegaBreaches
A concerning pattern has developed over the past few months involving a slow drip of large breaches, mostly involving stolen customer credentials. What makes these breaches concerning? The breaches didn’t happen last week, or last month, they mostly occurred more than four years ago—all the way back in 2012.
The late disclosures started in May 2016, with an announcement that a staggering 117 million LinkedIn email addresses and passwords were put up for sale on the dark web. Even Mark Zuckerberg got caught up in the blowback when it was discovered his LinkedIn credentials were included in the breach, and used to hack his Twitter and Pinterest accounts.
The interesting part is that LinkedIn announced this breach in 2012, but at the time, they believed the breach was much smaller and reset the passwords of only 6.5 million users. It wasn’t until much later that LinkedIn discovered many more accounts were affected. We now know the breach was colossal—18 times bigger than originally suspected.
The story doesn’t end with LinkedIn.
Dropbox seems to have undergone a similar experience. In 2012, they announced that “Usernames and passwords that had been stolen from other websites” were used to sign into a small number of Dropbox accounts.” Emphasis on the “small.”
A few weeks ago, it was made public that the Dropbox breach was much larger than originally thought. The credentials of more than 68 million users were leaked raising concern that the firm’s initial belief that the passwords were stolen from other websites maybe have been off the mark.
A TechRepublic article on the breach notes “Dropbox acknowledged the breach at the time it occurred, but it didn’t disclose the full extent of the hack. The language used by then-VP of engineering, Aditya Agarwal, also seemed to point to the idea that Dropbox believed only emails were stolen in the attack.”
More recently, Rambler.ru, a search engine giant in Russia experienced a breach that resulted in the release of 98 million user accounts, including, “…stored passwords in unencrypted plaintext.” And the kicker? You guessed it; the hack took place in 2012.
- Music streaming service last.fm asked users back in 2012 to reset their passwords, though again the full extent of the breach was not published. And now we’ve learned again the breach was larger than originally disclosed, and that 43 million last.fm user records were stolen.
- In a similar fashion, a breach of QIP.ru that appears to have taken place in 2011 was disclosed last week that included the details of 33.4 million accounts, in which all passwords were stored in plaintext. Softpedia notes, “[The] hacker is the same source of the recent Last.fm and Rambler.ru breaches.”
It’s clear that companies who disclosed breaches a few years back weren’t always aware of the full extent of the damage at the time.
The scary part is that these incidents are likely just the tip of the iceberg. Other high-profile reported hacks in 2012 include Yahoo, Nationwide Insurance, Zappos and the South Carolina Department of Revenue.
How many other breaches were underestimated or underreported? We may never know. But what is certain is that there are credentials of hundreds of millions of users out there whose usernames and passwords have been compromised. What’s more, with peoples’ preference for reusing passwords, sometimes their organization credentials at that, breaches represent a real and immediate risk for large organizations around the globe.
Every CISO and CIO should take note. The fact that we haven’t seen many mega breaches as of late doesn’t mean companies aren’t getting hacked. Some may attribute the decline in this year’s mega-breaches to a decrease in hacking itself. Though it’s more likely that hackers are simply getting better in covering their tracks. As we can see with the breaches mentioned above, its likely we will only become aware of the full extent of such breaches over the next few years.
Remember Cisco CEO John Chambers’ famous quote, “There are two types of companies, those that have been hacked, and those who don’t know they’ve been hacked.”
Whether you’ve already been hacked, or just aren’t aware of it yet, you need to be proactive in protecting your customers and your organization, which means protecting your data and applications. Don’t let yourself end up like LinkedIn or Dropbox by focusing on damage control and reactive measures. The time has come to be proactive.