By Robert McMillan
In the past few months, hackers have taken over the social-media
accounts of Facebook Inc. Chief Executive Mark Zuckerberg, Google
CEO Sundar Pichai and Twitter Inc.'s CEO, Jack Dorsey.
Behind the scenes, security teams at every major technology
company -- and many smaller firms, too -- are scrambling to protect
others from the same fate.
Some of the executives apparently reused passwords that had been
stolen in earlier hacks of LinkedIn, Myspace and other sites;
others may have fallen victim to software that uses the old
passwords to guess new ones.
Nearly two billion old passwords can be viewed for as little as
$2 at a database called LeakedSource, run by anonymous operators.
Investigators estimate that maybe up to 8% of the LinkedIn
usernames and passwords will work on other services, giving hackers
a way to take over accounts elsewhere. LinkedIn, meanwhile, reset
its own users' passwords and fixed a security hole that had allowed
data to be stolen in 2012. The company is in the process of being
acquired by Microsoft Corp., a $26.2 billion deal that is expected
to close by year's end.
Hacking creates a dilemma for operators of other popular
consumer web services. They can require all users to change their
passwords, and risk losing some users. If they don't force password
changes, users' accounts could be hacked.
"If they change passwords for their users, no matter how well
they explain it, the perception may be completely off," said Alex
Holden, the founder and chief information security officer of Hold
Security LLC, which helps companies spot stolen credentials on
hacking sites. "If even 0.1% of these users panic and they have to
call customer service in one day, it creates a nightmare."
Carbonite Inc., which offers online backup services, chose to
reset passwords for each of its 1.5 million users. The company also
analyzed the hacked data and required customers whose credentials
appeared in the database to confirm their identities in order to
access their accounts.
Carbonite moved decisively because of the serious consequences
of a compromise, said Norman Guadagno, Carbonite's senior vice
president of marketing. "When you have a Carbonite account -- or
any backup service -- and you have the username or password to that
account, you have access to everything," he said.
Twitter, Facebook, Yahoo Inc. and others chose a different
course. Instead of resetting all passwords, they analyzed the
stolen credentials and then urged or forced affected users to reset
their passwords.
Over the past years, companies such as Yahoo have put in place
data-analysis and customer warning systems that allow them to
methodically process these huge volumes of data and protect
customers who reuse their passwords against these types of
disclosures. Last week, Yahoo's security team responded to a report
that 200 million of the company's user names and passwords were up
for sale in hacker forums. A Yahoo spokesman said the company was
aware of the claim and "working to determine the facts."
The identity intelligence company InfoArmor Inc. examined the
database in question last week and believes that it isn't a
brand-new database of Yahoo passwords. "It's just a mix of
third-party data dumps," said Andrew Komarov, InfoArmor's chief
intelligence officer.
Combing through the data is time-consuming. Yahoo has one
billion users. Its security team began examining the LinkedIn
database on May 18. Some of the account names and passwords were
encrypted. Yahoo staffers had to decode the names and passwords and
look for matches with Yahoo's users. Eight days later, on May 26,
Yahoo emailed notes out to an undisclosed number of affected users,
telling them to reset their passwords.
"There is a huge amount of frantic activity happening in
consumer businesses to keep our users safe," Alex Stamos,
Facebook's chief security officer, told a White House cybersecurity
commission at a hearing in Berkeley, Calif., in June.
One pitfall of this approach: Users may ignore messages to reset
their passwords. Amazon.com Inc. Chief Technology Officer Werner
Vogels lost control of his Bitly Inc. link-shortening account after
ignoring a password-reset message, he confirmed in a Twitter
message.
The Twitter account of Brendan Iribe, chief executive of
Facebook's Oculus virtual-reality unit, was ripe for the taking
because he had reused an old Myspace password, said "Lid," the
hacker who claimed to have taken over Mr. Iribe's account for a few
hours last month. Lid sent out several unauthorized Twitter
messages, including one proclaiming himself the new Oculus CEO. Lid
declined to provide his real name.
Large databases of usernames and passwords periodically become
available on black-market websites. In the past few months,
however, "the abuse of the data seems to be on the rise," said Bob
Lord, Yahoo's chief information security officer, in a June
interview.
The high-profile Twitter users typically regained control of
their accounts within hours, causing them little damage beyond
embarrassment. But security professionals say reusing passwords can
expose corporate networks or the growing number of corporate online
services.
Companies tell workers not to reuse their corporate passwords on
services such as LinkedIn or Myspace, but it is impossible for them
to check whether this is happening. That is worrisome, said Cormac
Herley, a researcher with Microsoft. "It could be that some third
party has a breach and I'm essentially hostage to whether my
employees reused passwords," he said.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
August 08, 2016 02:48 ET (06:48 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Apr 2024 to May 2024
Altaba (NASDAQ:AABA)
Historical Stock Chart
From May 2023 to May 2024