Although the passwords were one-way encrypted, the media outlet recommended users change their passwords. To prove that it carried out the attack and breached the database, the SEA defaced three online articles.
It seems that attackers and cybercriminals are increasingly targeting users’ login credentials which will provide them access to various systems. Only two weeks ago we learned that Yahoo’s email system was breached using credentials stolen from a third party. In a recent blog we explained how third party database breaches can lead hackers to your data. With login credentials to the user’s account, it is possible to access information stored within the users account. It is unknown what type of information Forbes.com stored about its users. The concern would be exposure of personal and financial data. Credentials to contributor’s accounts may actually provide access to systems used by the media outlet to publish news, allowing attackers to post fake news alerts. Last year, the Syrian Electronic Army took credit for hacking the Twitter account of the Associated Press (AP) and posting a fake news alert about an attack on the White House and President Obama. The news alert was quickly denied, but not before the Dow Jones stock exchange fell by one per cent and $200bn was wiped off the entire market (stocks bounced back later in the day). An additional concern is that many users tend to re-use their passwords across multiple systems. After all, it’s hard to remember so many passwords. If the passwords extracted from the Forbes.com database enable access to the email accounts they are paired with, then attackers can access these users’ email accounts. Searching through emails in a user’s account can expose a wealth of personal data. A breached user account can be used for developing spear-phishing messages and drive-by download attacks. The fact that the email comes from a trusted source, someone the user regularly exchanges emails with, increases the chances that phishing email recipients will fall for the scam. If users are re-using their credentials, the exposed information may also provide access to other websites and web services, including corporate systems. While access to online consumer applications and services enables fraudulent transactions, access to corporate systems can enable an enterprise breach. There is no doubt that users who used their Forbes.com email address and password combination to log into various other websites are at risk.
Recommendations:
Users should change the login passwords and avoid reusing password across multiple websites and applications. Organisations should educate employees about the risk in re-using passwords for logging into multiple applications, but education on its own is not enough. There are simple controls that can be implemented, like Trusteer Apex, to prevent employees from reusing their corporate credentials across multiple accounts, especially using the same credentials for work related accounts and personal accounts. Dana Tamir is director of enterprise security at Trusteer.Image source
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.