In addition to the above examples, there were two other large scale and highly scandalous invasions in July and August of last year. The victims were users of the popular file-sharing service Dropbox and Blizzard’s gaming service Battle.net.
Dropbox acknowledged the leak of personal data in late July, though they were quick to assure that the addresses and passwords had been stolen from “third party sites,” ultimately, because users had used very weak passwords.
Alas, it was not all that simple. As it turned out, it was one of Dropbox’s employees who suffered from the attack, and it seemed, that he or she also neglected the basics of network security and used the same password for different resources. All in all, the attackers accessed his or her file storage and found an unencrypted document with a list of users’ email addresses.
Another problem was that Dropbox had already experienced attempted attacks by hackers, with one of them managing to get a few combinations of usernames and passwords. Of those combinations, one belonged to the Dropbox employee.
After that, a great deal of spam poured into Dropbox users’ mailboxes, including phishing messages and other malware. Following the incident, Dropbox introduced a two-factor authorization, although for users this option was to be activated separately.
Blizzard had already implemented two-factor protection (with the use of mobile devices) for a long time. It basically forbade stealing people’s game accounts. However, there was an intrusion into the internal infrastructure of the company. The attackers managed to get ahold of a number of email addresses of Battle.net users around the world. In addition, hackers accessed the answers to security questions, authorization via mobile devices, and hashed passwords. Blizzard’s statement, however, said that the attackers would have a difficult time trying to decode the passwords, because of Secure Remote Password (SRP) protocol being used.
The users were advised to change their passwords anyway.
Twitter (February 2013)
In February 2013 attackers invaded the Twitter base and stole logins and email addresses together with hashed and salted passwords for 250,000 users.
According to the Twitter administration, the user database was cracked by professionals. Moreover, Twitter’s head of safety and security, Bob Lord, quite eloquently alluded that the attack was performed by the same professionals who had previously hacked The New York Times and The Wall Street Journal (was it Winnti?).
Lord also mysteriously mentioned the recommendations by the U.S. Department of Homeland Security to disable Java in the browsers because of a well-known vulnerability CVE-2013-0422, for which a zero-day exploit was discovered. Lord did not elaborate much on its connection with the Twitter attack.
Evernote (March 2013)
In March, the popular service Evernote urged all of its 50 million users to change passwords. The necessity arose after an unauthorized entry into the internal infrastructure of the company occured. The attackers managed to gain access to logins, relevant mail addresses and hashed passwords that Evernote fortunately stored in a salted form. The criminals did not make it to the users’ content. However, Evernote was criticized for the lack of two-factor authentication. There were also many harsh words said about the Evernote invasion as a bad attempt for publicity of cloud services in general, for the situation itself favored SaaS opponents.
We’ve brought you through several examples of big data leaks. What do they have in common? Almost everything and yet nothing at the same time. By “almost everything” we mean they all saw an unauthorized invasion of the servers of a large public service provider and respectable amounts of data being stolen. By “almost nothing” we mean that in each case a different way of penetration was used, a different kind of vulnerability was found, and the affected companies each published different accounts of the incidents. In most cases, it was stated that the stolen data was of almost no practical use since the passwords were encrypted. Still, in every case users were encouraged or forced to change their passwords as a precaution.
The problem is, firstly, users often use the same passwords for different resources. Secondly, they set weak passwords that are easily cracked by brute force, particularly if the hash values are not salted.
The leak of any data for businesses operating with users’ information will put them into a state of emergency in terms of potential financial and reputational losses. Therefor, security measures should include protection against all possible options, i.e. solid encryption of transmitted and stored data (besides hashing, salting is also required); thorough auditing of third-party software, if there is any; the use of automatic protection, such as exploit blocking, against zero-day vulnerabilities. And the most important measure is, of course, training staff and users on the basics of network security: no short and easily cracked passwords, no reusing of passwords in various instances. From users it requires minimal efforts, but sticking to these rules can keep trouble away.