At a glance.
- This just in: there are more than 24 billion usernames.
- US healthcare data breach round-up.
Turns out “Password” is still not a good password.
The researchers at threat intelligence and risk protection company Digital Shadows have released a new report on global password compromise revealing that 24 billion usernames and password combinations are currently in circulation in cybercriminal marketplaces. This amounts to an average of nearly four for every person in the world, and represents an increase of 65% over their 2020 report. ZDNet notes that 6.7 billion of the login credentials were unique, meaning that many usernames and passwords are likely being accessed and stolen multiple times without the user’s knowledge.
The report also shows that the top fifty most popular passwords are far too easy to guess, often using a variation of the word 'password' or an easily remembered string of numbers, like 123456 (which accounts for nearly one out of every two hundred passwords). Predictable combos like “'qwerty' or '1q2w3e' are also overly used, and “default” and “password” remain go-to choices for the feeble-minded. PRNewswire adds that the report determined forty-nine of the top fifty combos can be cracked in less than one second using simple tools readily available on criminal forums for minimal cost. Recommendations for avoiding the temptation to set a password to “11111” include using a password manager, implementing multifactor authentication, and using an authenticator app.
Kim DeCarlis, CMO at web application solutions security provider PerimeterX, commented on what the available credentials suggest about criminal practice:
“The cyberthreat landscape has changed. Web attacks that were once separate and distinct have come together in a continuous and integrated cycle of cybercrime. One kind of attack fuels another, propagating and prolonging an attack lifecycle that hits consumers everywhere along their digital journey — and web apps are a prime target.
"The front door to a web app is a valid user name and password and it is eye-opening to learn the number of credential pairs available on the dark web. Stopping the theft, validation and fraudulent use of account and identity information should be a prime focus for all online businesses. In this case, since the theft of credentials has already happened, digital businesses should look for a way to stop the next step: credential stuffing attacks in which cybercriminals try to validate the username and password. It would be smart for online businesses to look for solutions that flag when a known compromised credential is being used and force an action such as a simple password reset.
"Once a valid username and password pair is found, cybercriminals can use the credentials to log into — and take over — legitimate accounts, typically on a number of sites since password reuse is common. Because the credentials are accurate, there’s a good chance the criminal will get into the account without any problems. Since most websites don’t have security checks post-login, they are free to navigate through and abuse the account, no questions asked. This abuse could include transferring money, cashing out credits or buying products that are easy to resell.
"Validating that a user had the right credentials was previously enough to keep accounts safe. But given this scenario, businesses need to think about continuous post-login validation. It's time to look beyond login to make sure the user is in fact who they say they are and is doing what they should be doing in the account. This kind of comprehensive account protection approach will pay dividends in the form of reducing chargebacks, lowering calls customer service, reducing strain on IT resources, protecting brand reputation and revenue.”
We point out that there are only 8 billion people on this planet, which should remind us all that we each have multiple username and password combinations.
US healthcare data breach round-up.
Choice Health Insurance, based in the US state of South Carolina, discovered last month that customer data stolen from their systems was posted for sale on a popular hacker marketplace. Subsequent investigation determined that “due to a technical security configuration issue caused by a third-party service provider, a single Choice Health database was accessible through the Internet.” JDSupra reports that the compromised data include full names, Social Security numbers, Medicare information and health insurance information.
JDSupra also reports that Goodman Campbell Brain and Spine, a healthcare provider that operates nine locations across the US state of Indiana, experienced a data breach after an intruder gained access to sensitive patient and employee data in May. Goodman Campbell is currently investigating the scope of the breach, including exactly what data were compromised and how many individuals were impacted.
Non-profit health organization CHI Health has disclosed it was impacted in a third-party breach that may have exposed some patients' names, Social Security numbers, medical codes, addresses, phone numbers, email addresses, dates of birth, and gender. JDSupra reports that CHI vendor MCG Health LLC, a Washington-state tech company that provides patient care guidelines, discovered in March that an unauthorized party had previously obtained patient data from their systems. The Columbus Telegram explains that CHI was notified in April that their data might have been involved, and confirmed in May that there was a “likelihood that the protected health information of some of our patients may have been compromised." On June 10, MCG Health sent out data breach letters to all impacted individuals.
Two US eye-care clinics have also disclosed they were impacted in the data breach of electronic medical records platform “myCare Integrity,” provided by practice performance company Eye Care Leader. Harkins Eye Clinic, located in the state of Nebraska, disclosed that the incident may have resulted in the compromise of sensitive patient data, and national eye clinic chain Precision Eye Care released a similar notification. They are just two of the numerous clinics affected nationwide.