News broke today that web-hosting service Weebly was hacked in February of this year, resulting in the theft of 43 million user credentials including encrypted passwords and IP addresses.
Various industry professionals have responded to the news with their reactions and analysis.
Paul McEvatt, Senior Cyber Threat Intelligence Manager in UK & Ireland at Fujitsu:
“The hack on Weebly once again brings to the surface the shocking realisation facing many organisations today – everyone will be attacked in one way or another. While the fact that 43.4 million accounts are thought to have been stolen is worrying, Weebly is the latest victim, and they will not be the last.
"Attackers value data as it can be re-used in identity theft but also look to re-use passwords on other online platforms including mail accounts and social media sites such as Twitter and Facebook. Fortunately, Weebly stored passwords hashed with Bcrypt making it harder for those passwords to be cracked easily.
“Attackers will always take the easiest route possible to breach a network so it is vital that organisations across all sectors are proactive before attackers can act such as applying the basics and enabling real-time threat reporting and fast response solutions before a threat becomes a compromise. This should sit alongside a clear and well-rehearsed incident management plan, addressing internal and external communication in addition to containment and recovery activities. It is no longer just about working to prevent attacks, but having a robust strategy in place for when one does happen to address the flaw immediately.”
Simon Moffatt, Senior Product Manager at ForgeRock:
“Unfortunately, consumers are still largely unaware just how easy it is for fraudsters to get hold of the pieces of data they need to build a fake identity. There is also a growing familiarity and trust in online business, with consumers almost blindly expecting websites to keep their details safe.
"Basic good housekeeping with respect to passwords should always leverage secure storage, meaning that the database owner should use salted hashing techniques as opposed to encryption or clear text. It should also involve making sure that user comply with complex password policies. Whilst the latter does reduce user convenience, password managers can help.
"Alongside limited government involvement, industry standards, or incentives to educate consumers about identity protection, it is not surprising that alongside the number of data breaches, there has been a spike in identity fraud cases in recent times. Although the issue of identity fraud does not yet seem to be a mainstream concern, if the number of such cases continues to rise, it likely will be, sooner rather than later.”
Wieland Alge, VP & GM EMEA at Barracuda Networks:
“This latest database breach has leaked enough information to leave users open to phishing attacks. The danger with a data breach that runs into the tens of millions is that even in the best-case scenario, at least some users will believe that the phishing emails are genuine, thereby opening the door to their attackers.
"It’s easy to discuss the threat of such breaches and believe that people are clever enough to not open attachments or fall for phishing scams, both at home and at work. However, experience tells us that when faced with a potential security incident, companies and IT security teams must over-communicate the threat, advise staff accordingly and review their security posture to prevent and contain any damage.”
James Romer, EMEA Chief Security Architect, SecureAuth:
"We all know that using the same password/username credentials across multiple sites is a bad idea, yet it still happens far too often. Hackers are now taking advantage by stealing precious data containing usernames, passwords, email addresses and IP addresses. Cybercriminals are aware that credential combinations are being used by users for a number of accounts. Obtaining this information, is the equivalent of obtaining the skeleton key to a hotel filled with valuables.
“Organisations cannot rely on consumers to remember numerous passwords in their active online lifestyles, instead they need to be encouraged away from the current reliance on a single point of authentication to continuous authentication, which developments in behavioural biometrics support.
"Not only does this render stolen credentials completely worthless across the breached site, it also means they cannot be used to compromise users more broadly.”
Image Credit: Balefire / Shutterstock