On Dec 8, 2017, 4iQ reported the discovery of a database on the dark web containing 1.4 billion credentials—in clear text.1 The fine writers of the aforementioned article note that they’ve “tested a subset of these passwords and most of them have been verified to be true.”
A standard calculator (like the one on your smartphone) cannot display 1,400,000,000 without using scientific notation. I tried; my poor iPhone can only manage to display 140 million. There aren’t enough digits on a standard calculator to deal with numbers of this magnitude. Our brains, it turns out, are similarly limited. The numbers associated with breaches of late is so large that scientists tell us we can’t really comprehend it.2 That’s usually why we talk in terms of percentages and round up to numbers easier to swallow, because we are much better at grasping those implications.
This innate inability is problematic, because as researchers note, “the larger a number grows, the harder it becomes to deal with. But sometimes, extremely large numbers lurking in the levels of billions and trillions and more, actually are relevant to the lives of everyday people. Take the national debt and government deficit for example. In order to understand such numbers, it's important to have an understanding of the context that number falls into.”
So, let’s put them into context.
As of June 2017, there were approximately 3.8 billion Internet users across the globe,3 and 1.4 billion is just over one-third (37%) of all Internet users. That means if just three of us get together, the credentials from one of us was likely in that database.
If you’re uncomfortable with this revelation, let me make you even more uncomfortable: that’s just the tip of the proverbial iceberg.
F5 Labs gathered and analyzed data related to a decade of data breaches and discovered that 1.4 billion is a mere pittance when viewed against the almost 12 billion records (of all kinds) compromised over the past ten years.
“In 338 cases, almost twelve billion records (11,768,384,080) were compromised. That’s an average of 34,817,704 records per breach! To put that figure into perspective, the current world population is 7.5 billion, and the population of people online as of June 30, 2017 was 3.8 billion. That’s roughly 1.6 records breached per person in the world (just because you’re not online doesn’t mean your data isn’t), or 3 records per person online that have been breached.”
This research does not include the recent find by 4iQ. If we include that, the number of records breached rises to 13 billion, or an average of 3.5 records per person online.
The point is not to scare you into a fetal position under your desk. It is to ignite awareness that we are experiencing a very real and troubling credential crisis that cannot be managed simply by changing passwords anymore. Moore’s law and cloud computing are completely indifferent as to their application. They work just as well for the defenders as they do the attackers.
Source: Lessons Learned from a Decade of Data Breaches, F5 Labs, Nov 2017
With literally billions of credentials stashed on the “dark web” and accessible to anyone with the means to pay for them, we must consider that we might be feeding the trolls by changing passwords without simultaneously re-examining our app protection and access strategies.
Because 3.4 million secret question and answer records were also among the records breached. Changing passwords won’t stop someone from resetting a password by correctly answering the canned questions presented by most organizations.
What will help is a strategy that includes protection from compromised credentials being used from attacker machines, and protecting applications from being exploited in the first place:
- Multi-factor authentication (MFA) to prevent stolen credentials being used from unknown (attacker) systems
- A hyperactive approach to patching vulnerabilities in platforms and applications
- Use of both reactive and proactive security technologies to protect and defend apps against exploitation
- Vigilant monitoring of applications, databases, endpoints, and network activity, including decrypted traffic
Stay safe out there.