The 2018 Credential Spill report
Shape Security’s latest Credential Spill report was released last week and I was honored and privileged to be a part of it. It’s substantially longer than 2017’s - we’ve had so many new industries having come under the Shape umbrella over the course of the last 12 months and, with that, we witnessed a host of new types of attacks and exploitation for the different verticals.
The report is long but it’s an easy read — there are many graphs and charts and it’s written in a way that doesn’t expect you to have deep knowledge of esoteric security concepts. I highly recommend taking a look but, if you can’t possibly find the time, there is one part that is required reading for anyone who works with websites or, really, anyone who has a login to any website anywhere — The Life Cycle of Spilled Credentials.
The chapter that describes the life cycle of spilled credentials is a critical part of anyone’s responsible participation in the web because it begins to scratch the surface on why all the data breaches we keep seeing are so dangerous and will haunt us for years and decades to come. This chapter goes over what happens to the data, who uses it, how they use it, and how it propagates outward to spread damage over time. If you thought that the aftermath of a breach was little more than a large fine to the breached company and maybe a few changed passwords here and there you are very much mistaken. It affects you, your loved ones, and your colleagues and there’s no way to bottle it up once the data is out there.
Dealing with the repercussions of a data breach is the new normal for everyone — this is a collective problem for every person on the internet. The damage that occurs at a victim company is the least important aspect of a data breach.
The credential spill report has a few real-world stories of the types of fraud that occurs after a credential spill. I won’t ruin them by abbreviating the descriptions here but they help in understanding the downstream effect. Once you start to see how criminals take advantage of that data, the glass is broken and you can’t unsee how all the bits of data you’re asked for can be used against you in the future.
If you check it out the report please let me know what you think via email or twitter (@jsoverson). Thanks!