Record Number Of Account Leaks In 2020
Due to the global pandemic, most of our lives and livelihoods have shifted online. While convenient, this increase in remote work has had unintended consequences: it has triggered an exponential rise in the number of data breaches. In the first quarter of 2020, data breaches in 230 companies were reported. By the end of the year, this figure grew to 1,114. During the first six months of 2020, various Fortune 500 companies became the targets of breaches on a massive scale. According to different security firms, 80% of the data breaches were due to stolen credentials or brute force attacks. As the year progressed, this startling number of situations only continued to rise.
In 2020 alone, over 20 billion records have been exposed—a 66% rise from 2019’s recorded 12 billion. It’s a staggering 24x inrease from the 2017 numbers.
Data breaches have caused severe damage to organizations. One of the leading reasons behind data breaches lies in the passwords used by employees—be it poor password hygiene, reused passwords, compromised passwords, or weak passwords.
The average internet user has over 200 digital accounts that require passwords, a figure projected to double to 400 in the next five years.
Just because more of our lives are now online doesn’t mean the digital world has become safer—everyone needs to remember proper password hygiene and implement cybersecurity-related best practices
Adversaries are always looking for security holes in organizations’ IT infrastructure, including web applications, systems, networks, third-party applications, email servers, active directories, etc. Many organizations lack the visibility of applications and services on endpoints, whether they are hosted locally or purchased on subscription from a cloud service provider. Typically, users are more comfortable using the same passwords for a plethora of different websites. It’s elementary for them to remember the passwords, despite knowing that using the same passwords across multiple platforms is not a good practice.
Worst Passwords 2020
According to an analysis conducted by the National Cyber Security Centre (NCSC), millions of people still use easy-to-guess passwords on sensitive accounts. Upon examining breached accounts, it was found that ‘123456’ is the most commonly-used password due to its ease of remembrance. As per hacking statistics, the most common way to hack accounts is through password spraying—a process that involves inputting simple passwords and going through a list of usernames until the right selection provides access to an account.
NordPass recently released the top 200 worst passwords for the year 2020. As per Forbes Senior contributor Davey Winder, 275,699,516 breached passwords were analyzed; out of this number, more than half of them were not unique. The below statistics show each of the passwords’ positions on the list. It also notes the number of users that used the password, the time required to crack it, and the number of times that particular password was exposed. According to the list, the password ‘123456’ has been used by 2,543,285 users and told 23,597,311 times. The average time to crack these passwords was less than one second.
Types of Password Attacks
Before we discuss more insights regarding compromises and breaches, let’s discuss a few types of password-related attack methods.
|Password Attack Type||Process of Attack|
|Brute Force||The adversary attempts to log into a user’s account with all possible combinations of the password until the login is successful. Effective against simple passwords with small password space.|
|Dictionary Attack||The adversary uses a list of stored passwords or relevant phrases, cycling through the list until the login is successful. The list may contain commonly-used passwords or words that are discovered to be relevant for the account holder via OSINT methods.|
|Rainbow Table Attack||A list containing pre-computed hashes of passwords is compared with captured hashes of the password in order to find the original password in clear-text form.|
|Credential Stuffing||The adversary uses a list of stolen (breached) passwords and usernames on a large number of different services (typically SaaS web apps) to discover and overtake accounts where passwords have been reused.|
|Password Spraying||This technique allows hackers to use simple passwords on multiple accounts of the same organization in parallel, thus avoiding the user lockout policy.|
|Password Guessing||Adversaries create possible passwords from the information obtained by different public sources, including social media and other OSINT sources.|
Utilizing the above-mentioned password breaching tactics, attacks are used by adversaries to gain access to various accounts or databases. The compromised accounts are then used to steal data and elevate privileges, or are ultimately sold on the dark web.
Challenges in Securing Passwords
According to various studies and analyses, there are approximately 300 billion passwords in use today, making an average of 38.4 passwords per individual. A password is the front door to all of your confidential data, user accounts, or personally-identifiable information. Passwords and usernames are the most common way to authenticate a user.
The greatest challenge lies in convincing users to keep healthy, unique passwords for each account or service. Due to the massive number of accounts each person accesses daily, many people tend to use passwords that are easy to remember, and even reuse the same passwords for multiple platforms such as corporate emails, cloud applications. Another challenge for an organization in password adherence is shadow IT, where users begin utilizing third-party applications to ease their day-to-day tasks without notifying the IT department. As a result, users unknowingly open doors for hackers to compromise their accounts, leading to a security breach that may cause companies to bear millions in losses.
Keeping a password is just like using a key to your door; while it’s undoubtedly locked, a thief can still access it by picking the lock. When organizations implement password reset policies so frequently, users become frustrated and tend to note them down in an unsafe, unsecured location. Hackers have enhanced their abilities over time and are continually searching for the weakest link—i.e., humans.
Password hygiene is one of the most critical problems that organizations and individuals face today. Organizations need to begin creating awareness among their employees, as credential-related threats are on the top spot as the root cause for successful breaches. With the continued advance of cloud adoption, it is undeniable that this number of incidents will keep rising in the future. Organizations should also start using tools that can help to automatically discover weak passwords, password reuses, shared accounts and similar issues, thus proactively tackling these growing concerns.
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.