Are we at a tipping point?
Russian hackers have gained access to 1.2 billion user names and passwords from 420,000 sites, according to Hold Security and a New York Times report.
The breaches range from small business sites to large everyday names. Many of these sites are still vulnerable as well. This may well prove to be the largest identity credential breach in history.
Login credentials are popular targets for hackers. Earlier this year the Verizon Database Breach Investigation Report stated that the number one way hackers are gaining access to information on computer networks continues to be the misuse of usernames and passwords. Two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication, says Jay Jacobs, co-author of the report and a principal at Verizon Business.
So, while this may be the largest breach on record it’s anything but new. The coming days will once again bring renewed calls for strong, multi-factor authentication that will make these breaches more difficult.
But will it really happen? I don’t mean to be cynical but what really happens with the data stolen in these breaches? The prevailing theory is that consumer reuse usernames and passwords on multiple sites. So if the hacker has a credential from Gawker is might also be good for access to a Bank of America financial account.
Has this happened though? With all the username and password breaches the last few years I have not read the stories about Joe Smith’s LinkedIn login info being used to drain his bank account.
And if this is such a big problem why haven’t we seen sites take measures to fix it? Are businesses not feeling any pain from these breaches? Target expects to pay $138 million related to the credit card breach but what’s the cost – other than reputational – with an identity credential breach?
Even if this breach impacts Facebook, Amazon, Bank of America, Chase or Google, consumers will not stop using these sites. Target, while still reeling, will certainly bounce back.
Look at Heartland Payment Systems, which had the largest payment card breach in history in 2008. The company’s stock price was devastated following the breach but has since rebounded to new highs. To its credit, today the company is considered a leader in advancing transaction security. Target is attempting to position itself the same way, as a leader for the coming of EMV in the U.S.
There will be the typical weeping and gnashing of teeth but in the end people will come back even if everything remains the same. I want identities to become more secure online but are we at the tipping point? What else needs to happen?