Although the passwords were one-way encrypted, the media outlet recommended users change their passwords. To prove that it carried out the attack and breached the database, the SEA defaced three online articles.
It seems that attackers and cybercriminals are increasingly targeting users login credentials which will provide them access to various systems. Only two weeks ago we learned that Yahoos email system was breached using credentials stolen from a third party. In a recent blog we explained how third party database breaches can lead hackers to your data.
With login credentials to the users account, it is possible to access information stored within the users account. It is unknown what type of information Forbes.com stored about its users. The concern would be exposure of personal and financial data.
Credentials to contributors accounts may actually provide access to systems used by the media outlet to publish news, allowing attackers to post fake news alerts. Last year, the Syrian Electronic Army took credit for hacking the Twitter account of the Associated Press (AP) and posting a fake news alert about an attack on the White House and President Obama. The news alert was quickly denied, but not before the Dow Jones stock exchange fell by one per cent and $200bn was wiped off the entire market (stocks bounced back later in the day).
An additional concern is that many users tend to re-use their passwords across multiple systems. After all, it’s hard to remember so many passwords. If the passwords extracted from the Forbes.com database enable access to the email accounts they are paired with, then attackers can access these users email accounts. Searching through emails in a users account can expose a wealth of personal data. A breached user account can be used for developing spear-phishing messages and drive-by download attacks. The fact that the email comes from a trusted source, someone the user regularly exchanges emails with, increases the chances that phishing email recipients will fall for the scam.
If users are re-using their credentials, the exposed information may also provide access to other websites and web services, including corporate systems. While access to online consumer applications and services enables fraudulent transactions, access to corporate systems can enable an enterprise breach. There is no doubt that users who used their Forbes.com email address and password combination to log into various other websites are at risk.
Users should change the login passwords and avoid reusing password across multiple websites and applications.
Organisations should educate employees about the risk in re-using passwords for logging into multiple applications, but education on its own is not enough. There are simple controls that can be implemented, like Trusteer Apex, to prevent employees from reusing their corporate credentials across multiple accounts, especially using the same credentials for work related accounts and personal accounts.
Dana Tamir is director of enterprise security at Trusteer.