Top 10 Password Data Breaches Evoke Urgency For Stronger Credentials12:00 PM EST Mon. Jul. 08, 2013
Just last week, videogame maker Ubisoft reset millions of account holder passwords after attackers gained access to its online network. An unpredictable fluke? Not really. In the 2013 Verizon Data Breach Investigations Report, the study found one glaring commonality among the hundreds of data breaches it examined. Financially motivated cybercriminals, hacktivists and nation-state driven attackers out to steak corporate data all sought and used stolen account credentials to gain access to systems containing sensitive information. There was no need to exploit a vulnerability or carry out a multi-pronged, sophisticated cyberattack. In nearly every breach, attackers used stolen account credentials to pose as valid users on the network to avoid triggering the security systems in place. The following massive password breaches highlight the need for stronger passwords, the use of password management tools and two-factor authentication.
The PlayStation Network outage impacted 77 million account holders. The network was taken offline for more than 3 weeks while investigators attempted to contain a serious data security breach. Account holders to the PlayStation and Qriocity services had their username, password, and home and email address compromised. The Sony breach also impacted 12.3 million credit card holders. Credit card data was encrypted, but Sony said passwords were not encrypted and only hashed at the time of the intrusion. Hashing passwords leaves them open to automated password crackers. The attack is believed to have been carried out by attackers claiming to be members of the hacktivist group Anonymous.
An attacker made off with nearly 6.5 million LinkedIn passwords in a breach that was announced last year. The stolen passwords, which were hashed, were posted to a Russian hacking forum where the attackers sought help in cracking them. Within days, more than half of the passwords were cracked. Because victims often use the same passwords for other accounts, the breach impacted other online services including Facebook, eHarmony and radio streaming site Lastfm. The breach forced some of the other online services to reset the victim's accounts. The cybercriminals apparently used a SQL injection attack to gain access to the LinkedIn back-end servers containing the password data.
E-commerce startup LivingSocial was forced to reset all 50 million accounts of its users following a massive data security breach announced in April. The cybercriminals also accessed names, email addresses and the date of birth of its users. The LivingSocial breach included passwords, which the company said were hashed and salted at the time of the breach. Attackers could still crack the passwords with more powerful automated tools, according to security experts.
Redwood City, Calif.-based cloud storage service Evernote urged its 50 million users to reset their passwords following a data security breach it announced in March. Evernote called its password encryption implementation "robust." The company pushed out a software update to users, automatically prompting them to change their account password.
Care2, a social network that promotes a variety of public causes, reset the accounts of millions of users following a massive data security breach of its systems announced in late 2011. The passwords were not encrypted. The IP address used in the attack was from Russia, according to the company. Care2 said it immediately closed the hole that the hackers found and blocked access to account logins.
Popular online shoe retailer Zappos announced a data security breach last year that impacted more than 24 million users. In addition to hashed passwords, the breach exposed billing information, email addresses, phone numbers and the last four digits of account holder's credit card numbers, the company said. The attacker gained access to the Zappos internal network and computer systems through a server in Kentucky, Zappos said.
Online job hunting website Monster.com suffered separate data security breaches in 2007 and 2009 that impacted millions of users. At least one of the two Monster breaches included exposed account credentials. Both breaches involved leaked resume information and sensitive account data, including names, phone numbers and email addresses. The breach also impacted one of Monster.com's partners, the government employment website USAJobs.com.
Online publisher Gawker Media, which runs Gawker, Gizmodo and a number of other popular websites, suffered a data security breach in 2010 that exposed the account credentials of 1.3 million users of its commenting system. The Gawker passwords were encrypted, as well as both hashed and salted, according to the company. The company said the attack exposed the source code to the company's blogging platform and IM chat logs between employees. The attack was believed to be carried out by Gnosis, a hacktivist group loosely tied to Anonymous.
Formspring, which specializes in providing a platform to answer user-submitted questions, had to answer questions about how hundreds of thousands of password hashes were posted to a hacker forum. The company reset the passwords to all of its 28 million users following the exposure and admitted that the breach enabled attackers to gain access to some of its account holders. The attackers gained access to one of the company's development servers and stole the data from a production database, the company said.
South Korean software maker ESTsoft announced a data security breach in 2011 that exposed the account credentials of millions of users. Hackers reportedly planted malware on one of its update servers, exposing the personal information of 35 million users. The breach impacted every site that used the firms' Web applications. The data included names, birth dates, user IDs and hashed passwords. The company develops a wide range of applications, including antivirus software.