We trust internet giants with some of our more sensitive information: personal and business communications, documents, financial transactions, dating profiles, etc. And in many cases, the only thing standing between malevolent hackers and our data is a string of alphanumeric characters.
Yes, in 2020, many services still rely on conventional passwords to protect user accounts against unauthorised access. And as numerous hacks have shown, passwords are a recipe for disaster.
In most cases, security experts advise users to choose passwords that are long and complex to avoid brute-force attacks and credential stuffing hacks. However, even a strong password is of no use when the company charged with protecting your account gets hacked, spilling your passwords into the dark web.
Smaller companies get hacked more often than their larger counterparts, but this doesn’t mean that tech giants are invulnerable. Moreso, password data breaches at large tech firms are much more destructive. They not only result in widespread loss of data, but damage brand trust and reputation. Sometimes, the extent of the damage is so vast that the victims can’t recover from it.
With that in mind, here are a few examples of how bad security practices led to some of the biggest recent exposures of user credentials.
Large companies are run by humans—and humans make errors
In 2018, malicious hackers found a security hole in Facebook’s “View As” feature that enabled them to gain access to the authentication tokens of any user. The flaw remained hidden for months. Facebook engineers only discovered it when they noticed an unusual volume of use on their application programming interfaces (API) to access the feature. By that time, the hackers had exploited the flaw to gain access to more than 30 million user accounts.
The episode resulted in a major public relations fiasco for Facebook, and the social media giant found itself in hot water (for the nth time), facing several class-action lawsuits from outraged users.
Even Apple, which is often touted as the manufacturer of some of the most secure devices and applications, can make these kinds of mistakes. In 2017, a security flaw in the iOS mobile operating system enabled hackers to gain access to steal passwords and other sensitive data from user iCloud accounts. The episode reminded us that even end-to-end encrypted passwords can get hacked.
When big companies get hacked, it’s really big
In December, Microsoft published a notice that 44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking due to use of compromised passwords. The company did not reveal if there were any recent breaches and explained that its threat research team had made the discovery after consolidating and analysing data from various breaches. The company forced a password reset for affected users.
Only months earlier, the company had reported that a Microsoft Outlook.com support agent’s credentials were compromised, giving hackers access to some customer accounts. While Microsoft was quick to say no user accounts were stolen, it did admit that the hackers had gained access to email addresses, folder names, and subject lines of emails. Those are the kind of information that can prove to be devastatingly important in phishing attacks.
In late December, a data leak exposing the login details of more than 3,500 Ring user accounts. The compromised credentials enabled attackers to gain access to home addresses, payment information, as well as live camera feeds and video histories from the smart-home security company owned by Amazon. While Amazon claimed that it hadn’t been directly breached, it was obvious that it hadn’t put safeguards in place to prevent password hacks.
Microsoft and Amazon are not the first tech giants to come to grips with password breaches. Search giant Yahoo suffered a 3-billion-password hack in the 2013-2016 period, which dealt a hefty blow to the company’s reputation, especially as it was in the process of negotiating an M&A deal with telecom giant Verizon. The disaster knocked $350 million off Yahoo’s valuation, a heavy price for a company that was already struggling financially.
Tech companies are bad at storing passwords
Just this January, an Amazon Web Services (AWS) engineer accidentally stored a cache of passwords, AWS keypairs and private keys in a public GitHub repository. The 954MB blunder, discovered by UpGuard, contained the sensitive account information of thousands of AWS customers. While this was probably an accident, there have been cases of AWS workers intentionally stealing customer data for malicious purposes.
Last year, Google fell short of its self-imposed standards in a security lapse which involved the storage of unhashed G Suite passwords. The company made the announcement in a blog post published in May. While the company took quick measures to solve the issue, it also admitted that the error had persisted since 2005. “This practice did not live up to our standards,” stated Suzanne Frey, VP of Engineering at Cloud Trust.
Turning back to Facebook, security researcher Brian Krebs reported in March that the account passwords of hundreds of millions of the social media platform’s users had been stored in plain text and were searchable by thousands of the company’s employees. In some cases, the passwords had been in this state since 2012. How did it happen? The company’s engineers had built internal tools in which they logged unencrypted passwords. In this manner, between 200 million and 600 million user passwords were reportedly exposed.
Companies are realising the dangers of passwords
With the financial, reputational, and technical costs of password hacks rising, tech companies have joined the race to find a fundamental solution that will protect their business against these devastating security incidents while also providing a convenient experience for their users.
Ultimately, the most secure password policy is one that ditches passwords altogether. With passwords eliminated from the authentication process, the threat of credential theft on-device, in transition, and in persistence, becomes a thing of the past. While large tech companies get the most attention and scrutiny when it comes to security incidents, transitioning to passwordless should be a priority for every organisation.
Fortunately, there have been very fruitful efforts in passwordless authentication in recent years. Some of them have been led by individual companies, such as Microsoft Hello and the Google Prompt on Android. Others have been industry-wide, such as the FIDO (Fast IDentity Online) Alliance’s authentication standards: FIDO, FIDO2 and WebAuthn.
These initiatives have made it easier for all organisations to get on board the passwordless movement. Now, it’s just a matter of adopting them.
Shimrit Tzur-David, CTO & Co-Founder, Secret Double Octopus