Over 20 million passwords stolen – companies need to take action
A few days ago another huge data set with stolen user data was published on the Internet. Over 773 million e-mail addresses and over 21 million passwords are said to have been published in plain text – thus opening the way to sensitive data.
And things like that happen more and more often: Login data is stolen and published or traded in the Darknet – for private accounts as well as for company accounts. Since companies cannot fully ensure that their employees choose secure and unique passwords, they should use technologies that monitor credentials and detect abuses and resulting risks in a timely manner. Often users notice far too late that their accounts have been hacked and that sensitive data became freely accessible as a result. We’ll tell you how you can protect your company.
The most recent incident: Collection #1
To find out if your user data is affected, you can visit the website https://haveibeenpwned.com/ by Troy Hunt, IT security expert and Microsoft Regional Director in Australia. If an address has already been affected by an older data theft, it will also be reported.
Affected users should definitely reset their password and create a new, secure one. Otherwise, others may gain access to third party accounts, misuse the sensitive data and lock the actual user out of the account.
Password assignment: Balancing comfort and safety
- At least eight characters
- Combination of small and capital letters, numbers and special characters
- Individual passwords for each portal
- Regular password updates
This seems practically impossible. Because who can really remember so many complex passwords? But there are several alternatives that help the users:
- A password system can help to remember many different passwords: For this purpose, users must consider a standard password, which is supplemented by a component related to the respective portal.
- Multifactor authentication significantly increases account security by requiring a password and another factor for access: for example, a code sent by SMS or a biometric feature.
- Alternatively, users can use a reputable password manager such as 1password or Keepass, which collects all passwords and can even create secure, complex passwords. The user then only has to remember a single password – the password for the password manager. That one however should be very, very safe!
What can companies do to protect their employees’ accounts and sensitive data?
SpyCloud compares employee user data with user data disseminated and traded on the Web and Darknet. SpyCloud uses known public reports as well as private and covert sources, automatic scanners and human intelligence.
As soon as SpyCloud detects a match between login data and stolen data, a password reset is performed on the affected account – as well as on all accounts that use the same user data. The user and IT are immediately informed of the incident and the user is requested to assign a new, secure password. At that point a comparison with the password history takes place, so that already used access data cannot be used again in a similar form. This way, sensitive company data and users are reliably protected and a potentially high economic and image damage is averted.
Free webinar from TechData and EBF
Want to learn more about SpyCloud? In our free webinar, you will learn how to effectively protect your credentials and those of your employees.