Skip to main content

The danger of an exposed account username

In each of the recent attacks on Evernote, Facebook, Twitter and others, the companies involved were quick to point out that passwords remained secure. But user information has a life of its own, and the effects of an attack on an individual can be felt long after the attack is over.

Typically what you hear when a major company has been compromised is something along the lines of how payment information is still secure, passwords were encrypted, but other information was accessible. Usually, this includes usernames and emails.

To most of us, that might not seem dangerous. After all, we give out our own emails all the time – we even post them online. But there are risks for users who've had even this small amount of information exposed.

Derek Halliday, senior product manager at Lookout mobile security, explained how these bits of information can make users targets: "Account information can be used to potentially enable spearphishing because it provides some unique contextual information about people – a way to contact them. And the fact that they have at one point in time signed up for a particular service."

This is why legitimate alert emails frequently remind users who may have had their information exposed that no one will ever ask for their password. If a hacker knows you use Evernote (for example), it's short work to create a message that appears to be from Evernote and send it to the email address you use to manage your account. Perhaps it will prompt you to provide your password, or payment information, or maybe trick you into clicking a malicious link.

"We've seen cyber criminals who are willing to engage in the 'long con,'" said Mark Risher, the co-founder and CEO of Impermium. "A multi-step attack that goes beyond the direct pilfering of sensitive data."

"When criminals break into a social network account, they can often find personal details that add legitimacy to a spearphishing," continued Risher, who cited an alumni association as one such personal detail. He explained that this could be used to unlock the "secret question" feature – which sometimes asks what your school mascot was, or the name of your first pet – on another website.

The worst case scenario

Chester Wisniewski, senior security advisor at Sophos, said that even though Evernote and other recently compromised websites secured their passwords with cryptographic hashes and random "salt" data, not all users might be protected. He explained that if a user has chosen a weak or common password, "then the criminals probably have it."

With the limited information available, the easier passwords might still be retrieved. "Criminals are going to hash the really easy ones, and may not bother with the rest," said Wisniewski.

For some of the bad guys, simply gaining access to social media accounts like Facebook or Twitter is enough. Some utilise this as an opportunity to make money, by attempting to spread malware infections. More enterprising attackers may try to use the pilfered password to unlock a webmail account.

"They often look for mail from the user's bank; often there's an 'I forgot my password' feature at that bank which relies solely on having access to the email account," said Risher.

Developing the worst case scenario further, the attackers might not be done once they've gained access to online banking information. "A lot of these guys aren't going to directly engage in the identity theft, they'll sell it off," said Wisniewski.

He went on to explain that in the case of banking trojans, attackers will use the top 10 per cent of the accounts – that is, the ones with the most available funds – and sell the other 90 per cent of the information. This means that user information, once compromised, can continue to be used and reused until the owner finally regains control.

Keep yourself safe

"The good news in all of the recent [attacks] is that nothing personally identifiable was taken," said Wisniewski, who stressed several times that the affected companies at least appeared to have taken solid steps to secure user information.

But as we've seen, that's not always enough. Users need to heed warnings to change passwords when prompted by hacked services. They should also strive to select strong and unique passwords for every online service, perhaps utilising a password manager to make the task easier.

What's important to understand is that user information is valuable, and can still be useful to attackers long after you've secured one affected account. The Internet provides numerous ways to have fun and work, but it also provides just as many avenues for attack.