News of data breaches are becoming more and more of a commonality and the most recent data breach publicized is one of largest data breaches yet. During the week of Jan. 13, 2019, a dataset named “Collection #1” was discovered. Upon investigation, "Collection #1" was found to be a massive listing of email addresses and passwords that were obtained primarily through thousands of individual data breaches that have occurred over the past three years. Throughout this time period, over 2.6 billion records were aggregated into this collection, including nearly 773 million unique email addresses and over 21 million unique passwords. As the name of the breach implies, there are more Collections out there (#2-5) and they supposedly contain more recent account information and some even have more records than those found in “Collection #1”.
While public awareness of this particular breach is recent, “Collection #1” has actually been circulating for many months on hacking forums, and for a period of time, was freely available through a cloud-based file sharing service, “MEGA”. As a result, “Collection #1” has been spread far and wide online and it should be disconcerting that your information may potentially be a part of it.
What do people do with all of this account information?
Typically, sizable collections like “Collection #1” are used for credential-stuffing attacks. Credential-stuffing attacks are when attackers rapidly test compromised email and password combinations against many websites or services in order to get access to individuals’ accounts. These attacks are typically automated and targets people who reuse passwords across multiple websites and services. Additionally, if access is obtained to an email account, malicious individuals can leverage website’s reset password tools to potentially obtain access to other accounts you may have, such as bank accounts, credit card accounts, etc.
How does a breach like this occur?
The answers to this vary from breach to breach, ranging from insecure authentication forms and brute force attempts to access repositories of account data to human error, where some may knowingly or unknowingly divulge account information to someone who will in turn try to further compromise other accounts.
So, what can I do about all of this?
One reality we all have to face is that there are individuals that have already accessed personal data that we may believe should be secret, but which nevertheless are not. This data may include our credit card information, Social Security number, mother’s maiden name, and date of birth. With the propagation of information from data breaches like this, information security has become even more of a critical component for data privacy and an increased awareness of information security best practices can help make accounts more difficult to compromise.
Regarding University data, information security is something NEOMED takes seriously. Multi-factor authentication is a strong deterrent to the unauthorized access to online accounts, and as a result, NEOMED has implemented DUO Security, a multi-factor authentication solution, to safeguard against unauthorized access to its student, faculty, and staff accounts, namely email. Additionally, the Information Technology and Compliance and Risk Management offices are working on broadening information security awareness and strengthening its Information Security policies and procedures.
For your personal information, there are a number of steps you can take to safeguard and manage your own personal accounts and information:
Create unique passwords.
By creating unique passwords per website or service, if one of your accounts is compromised, the same set of credentials would not be successful in providing access to other websites or service accounts you may hold.
Enable and use multi-factor authentication, wherever possible.
Depending on the website or service, you may have the ability to enable and use multi-factor authentication for your account. Google accounts are one example where you have the ability to set up and enable multi-factor authentication within your account settings for all of their services, like Gmail.
Monitor your credit report/score.
The Fair Credit Reporting Act entitles you to request one (1) free copy of your credit report every 12 months (see the Federal Trade Commission website, https://www.ftc.gov/faq/consumer-protection/get-my-free-credit-report). Also, by holding an account with a credit card company, some companies offer free FICO score information. Monitoring these scores can provide insight into your credit, and if you find it to be negatively affected, it can serve as an indicator and prompt you to inquire further.
Review if your account was compromised in a breach.
Haveibeenpwned.com is a free, online, third-party resource that allows you to assess if you may have been put at risk due to a data breach, including those like “Collection #1”.
These are just some of the best practices you can utilize to help protect yourself from account compromises. Stay tuned for more details regarding NEOMED's information security efforts in the near future. If you ever have information security questions or concerns, or if you suspect that your University account has been compromised, contact Information Technology or Compliance & Risk Management using the information below:
Compliance & Risk Management
-Submitted by Jonathan Wagner