IT Security Alert: Drop Everything and Take Action Now
Last week, several news sites that focus on IT Security reported that data dumps have been found on the Dark Net with over 3 billion user account credentials. Some are calling it “COMB” which stands for Compilation of Many Breaches. It is believed that this large number of breached account credentials was not the result of any single breach, but is the result of many breaches which were likely carried out in coordination.
What is a Dark Net Data Dump?
But first, what is a “data dump” and what is a “dark net”? The Dark Net is an encrypted network that was designed to provide the highest levels of security and anonymity. Obviously, an entire Internet where one’s actions cannot be easily traced is going to attract criminal activity. While there is a lot of criminal activity, it is important to point out that “Dark Net” does not equal “Criminal Activity”, as there are valid uses for that network aside from crimes.
That said, if one is curious and can connect to and find things on the Dark Net, one will find everything from illegal firearms, drugs, human trafficking, and even murderers for hire. A big part of the black markets that exist on the Dark Net is to deal in stolen payment cards, gift cards, etc. and to sell breached user accounts.
So 3 Billion User Account Credentials Were Sold to Criminals?
That is exactly what I am writing about here. There is about a 50% chance that your credentials are among these 3 billion breached accounts that were sold on the Dark Net beginning around Feb 2, 2021.
What that means to you, is that there is a very good chance that your Google, Apple, etc. credentials are among the 3 billion sold, and if that is the case then you will wake up one day and find your entire identity has been stolen, your bank accounts emptied, and even a second mortgage has been taken out on your home — of course you don’t get the cash, because that went to the criminals. Or, you could find that your 2020 tax return you are expecting is deposited into someone else’s account.
I Really Don’t Know How I can Make It Any Clearer
Bad things will happen if your account credentials are among those sold. I can confirm that Google accounts are among those breached and sold. If you use a mobile device, your Google or Apple account is one that needs to be heavily protected. The reason is, you trust your mobile device to log into your online banking, etc. If they can breach your account, they can breach your device. Also, if you use services like Google drive, gmail, Google Pay, etc. then your Google account is one you should protect as if your life depends on it.
Because. It. Does.
What Can I Do?
The good news is, there is a window of time between when an account breach happens, the accounts are sold, and between when the individuals get hit with the impact. If you secure your critical accounts now, that will prevent the very likely later outcome when you are hit.
Secure your Google, Apple, and Primary Email Account First
For reasons already mentioned, you should make it a priority to secure your Google/Apple accounts with a new strong password. In addition, you need to urgently secure the email account(s) which you used as the “password recovery email”. The reason is, if the criminals get into that email account then they can do the “Forgot Password” button on all the sites and get into everything. Of course, they would make it a priority to secure that account for them, by choosing a password that you don’t know.
Once that happens, you would have missed the window of opportunity to prevent impact. Once you get to this juncture, where you are locked out of your primary email account, in order to get back into that email account you will have to go through a process of proving your identity to the email service. This is not going to be quick, painless, and as the clock continues to tick you will continue to be breached in all your other accounts and there is nothing you can do to stop it.
Next, secure your Online Banking account followed by any and all accounts which have saved payment card and/or are linked to your bank account (like PayPal)
Obviously, the next step is to secure accounts where you have payment cards saved or you have given your bank account number. Yes, this is goin to take most people a lot of time, but is necessary.
You might feel that your bank has your back and you won’t be responsible for unauthorized payment card charges. While this is true, as it is an actual federally regulated thing, again it isn’t going to be quick or painless.
By the way, don’t let your bank fool you into thinking their high security is done for your benefit. It is done for theirs.
Don’t Forget About Social Media Sites
Even though Facebook doesn’t likely have your payment card stored, you still don’t want that account breached because it will cause your friends to be targeted by scammers and generally make you look bad. It damages your reputation and credibility.
Obviously, LinkedIn shouldn’t be overlooked sine that will damage your professional image.
That really is the bottom line — make sure you secure accounts everywhere that can cause you financial damage or personal/professional damage.
Please: Use Strong Passwords and a Unique Password For Each Site
If you embark upon this exercise and simply change your password all over the place to be a new SAME password across all of those sites, you would be setting yourself up for severe risk and impact if ever again any of your accounts are breached.
The only way to mitigate the risk is to actually use unique passwords at each site. Now you are going to say “but how can I possibly remember all those passwords”?
Which leads to the next point…..
In 2021 You really Need To Be Using a Password Manager
If you are not using a password manager, then you are breaking one or more of the generally accepted best practices for personal IT security:
- Don’t use the same password across many sites
- Don’t choose a password that is easy to remember
- Choose password that is at least X characters long, and I think these days X is up to 10? But the longer the better
You can’t possibly do that without a password manager, and it is absolutely OK to use a password manager like Google Password, Firefox, LastPass, etc.
That said, your password manager also becomes something you guard as if your life depends on it. Because if someone can break into your password manager, they then can break into all those accounts — despite that they ALL had proper, unique, long, complex passwords. If your password manager is breached, you are breached.
Ideally, your password manager should not save your passwords to their cloud. But that means you can’t use your password manager across multiple devices, etc. In reality, that would mean it is not feasible for most people because of the inconvenience.
Security is always balancing the competing demands of security and convenience. If the inconvenience of not having passwords synced across devices is not unacceptable to you, then you can enjoy a higher security posture.
In 2021 You Should Be Using Multifactor Authentication (2FA)
As you embark upon this exercise to secure yourself, you should also investigate if each site/service offers two factor authentication (2FA). I would bet the majority of the sites, and the ones that can do you most harm if breached, offer two-factor authentication.
What is 2FA? A set of credentials which comprise of a username and password are just a piece of information that one must have in order to log in. Obviously, that information can be breached and then people you don’t want authorizing your accounts can do so. That is single factor atthentication.
2FA adds another factor, or layer, to login security. The second factor is “something you have” along with “something you know”. So there are two factors in the authentication scheme. The good old login and password, plus something physical, like a secureId Fob.
Remember RSA Fobs?
You may recall, and may have even used, RSA ID fobs. They are rarely used today because the RSA algorithm got solved and rendered them ineffective to a certain degree. It would make sense to just make new hardware with newer, stronger encryption. But the reality is, given enough time, that will also get solved.
So these days, the authentication key is in software, and lives on your mobile device. This is where “Authenticator” apps like Google Authenticator come into play.
Effectively, you have to have your phone on you to log in…. but who doesn’t?
Security and Convenience Are Always Competing
Well, again we have to talk about security vs convenience. Having to use two factors of authentication EVERY time you login to a site is cumbersome. Thus, most sites have a “authorize this device” option. That reduces the effective security, so if you can tolerate the inconvenience then just don’t enable that and continue with a higher security option.
But, if you take the convenient route (I do too) you just have to realize that when you click that box you are “trusting” that device. In doing so, you should make sure that device is under only your control — not a public library or Internet cafe PC. Because if that device is not under your sole control, and someone can breach that device, then they breach your account through that device.
What about Email/Text 2FA?
Yes, some sites do not use an authenticator app and instead use your email or phone number to send a text with a code that you need to login. This is more convenient than using an authenticator app, and if you’ve read this far you already realize that improved convenience means less secure.
But Authenticator Apps Can Be Hacked, Right?
Yes. It is technically possible to hack someone’s 2FA app, but doing so is not easy and requires either that the device be breached in some way. Mobile devices can be breached through bluetooth, or wifi, or by installing malware apps. Which leads to a point that really needs to be included:
Malicious Apps Do End Up in Gogle/Apple/Amazon Stores
These vendors take great measures to detect apps that are malicious, but it can never be 100% fool proof. So one really must:
- Only install apps that are truly needed
- From actual stores like Google/Apple/Amazon/Microsoft
- Published by developers with a very positive reputation
I can’t say what the next set of winning lottery numbers will be, but I can say with reasonable certainty that if you install an app that has to be “side loaded” in order to open something someone sent you in a text message, when you weren’t expecting a text message from that person and have no personal and business dealings going on with that person….. yeah, that is probably something you want to definately not do.
So, 3 Billion People?
Yeah, putting it into perspective, there are about 4 billion people in the world with Internet, so that is about 75% of the population. Given that, if anyone feels that I am being an “alarmist” here and wasting time, please…
But I Have Outstanding Security Practices So I Don’t Have To Worry!
Yes, you do. If you already do all the things this blog is talking about, then that means you greatly minimize the chance that you will be breached because of you.
But you have absolutley no control over whether sites/services that you use get breached.
In other words, you can do everything right but still have your account(s) appear on the Dark Net for sale because some site(s) were breached on their end.
And that is exactly what this breach in Feb 2021 is — a breach across many service providers to scrape account credentials of users that have done nothing on their end to bring about their own account being breached.
I’ve Said Many times: There is Trust and Risk Involved For Every Service You Use
When you decide to carry out your personal or professional business on a service, you are extending trust in that service that it will be secured. You are trusting they have appropriate security in place, that they have security monitoring, intrusion detections, that their site/app is designed for modern security, etc.
You are trusting that they will screen and monitor the behaviors of their employees and contractors. You trust they won’t inadvertently employ a hacker or a spy of a foreign state.
What About Supply Chain Hacks? SolarWinds?
If you pay attention to security news, breaches, and whatnot, you heard about the SolarWinds breach a few months back which happened starting in the summer. This was a big deal because a huge IT vendor (SolarWinds) who sells infrastructure tools to enterprise clients like Google, Microsoft, Oracle, etc. and hackers were able to modify the source code to that product and embed malicious code.
That code then got propagated to 18,000 businesses that are clients of that product, and that code then went out and further embedded itself into these highly secured internal networks.
February Data Breach… a Product of the SolarWinds Breach?
It is my personal opinion that the true origin of this Feb 2021 “COMB” breach is rooted in the SolarWinds hack…. and that is how my own Google account ended up in that list of 3 billion breached accounts sold on the Dark Net for $2.
I can’t say because I am not a security researcher who gets paid to work with the government and big tech and is in the loop on day zero attacks, etc. But my gut is telling me that my Google account was among this breach because Google is a SolarWinds customer and that is how their very secure network got breached.
The Mind Blowing Scale and Scope of the SolarWinds Hack
To put the scale and scope of the SolarWinds breach into perspective, security experts have ascertained that over 1,000 developers were involved in coding the malicious code that got embedded into that product.
That is more developers than even Google employs. Well, perhaps not, but it is close — and Google does not have 1,000 developers working on just one thing.
This is why the security threat scape is very bleak and only getting bleaker. Because there is nothing that can’t be achieved when you have 1,000 developers on it.
What Does All of This Mean to the Small Business Owner?
And I would be remis if I didn’t mention that small businesses are targeted more than big corporations are because small businesses are easier targets.
Small businesses must manage the risk inherent in the technologies they use, fend off attacks from cyber criminals, and also the risks inherent in the third party services and tolls they use, as well as their entire supply chain.
Author: Thomas Carlisle
Published: February 18, 2012
Thomas is owner, proprietor, and chief consultant of Carlisle Technology Solutions. Thomas has over 35 years of experience in professional Information Technology solutions, possesses a strong entrepreneurial spirit, and has a skillset that spans all of IT.
Thomas has worked for, or consulted to, hundreds of Fortune 500 customers across financial services, pharmaceuticals, media, manufacturing, retail, automotive, defense, legal, accounting, and medical. Thomas has launched Carlisle Technology Solutions to bring enterprise-grade, cutting edge technology solutions to the small business owner.
Thomas lives in the United States with his wife and two children.
