Password Pwned
Description: I recently read an article on Gizmodo with the headline “Mother of All Breaches Exposes 773 Million Emails, 21 Million Passwords.” (article can be found here: https://gizmodo.com/mother-of-all-breaches-exposes-773-million-emails-21-m-1831833456). As the title suggests, about 773 million email addresses and 21 million passwords were exposed and are part of something called the “Collection #1” data breach. Details can be found in the article, but the main point is that this is an issue for anyone who uses the same password for multiple accounts because it makes them vulnerable to a type of hacking called “credential stuffing” — my understanding of what this means is that the same email/password combos can be used to access any of the user’s other accounts that use those same combos.
Before reading this article, a member of the Georgia Tech SPUD Lab Slack group posted the following website: https://haveibeenpwned.com. (Note: It’s helpful to read the FAQs - https://haveibeenpwned.com/FAQs#DataSource) These two things correlate with one another because the “Collection #1” data breach was discovered Troy Hunt. According to the article he is a security researcher who manages the above site (HIBP). Long story short, there were 140 million emails and 10 million passwords found in “Collection #1” that were new to the HIBP database, in other words these newly found accounts had not been breached before.
Being curious about this, I — like the author of the article — checked to see if any of my email/password combos have been compromised… and no surprise here, a couple of my accounts had been. Lesson learned. Perhaps I shouldn’t use the same email/password combos for multiple accounts, maybe I do need to start using a password manager like the article suggests, maybe I should just update my passwords more frequently, or perhaps I should add 2FA to everything.
Relation: In the first week of class we talked about the multiple hacking methods that can be utilized, credential stuffing is yet another one. We’ve also discussed how difficult it is to manage account credentials because in today’s world people are required to have so many accounts for everything they want to access (social media, music, entertainment accounts etc.). Yet if we connect all of our accounts and tie them to one main source as in SSO (Gmail or Facebook), the issue still isn’t resolved because access to multiple sources are easily retrievable from one account. 2FA offers more protection but can be cumbersome (especially if you’ve forgotten your phone at home like I have before). However, over and over again we’ve seen breaches where people have been compromised, yet they still don’t react or change. I myself am guilty of not reacting immediately to these kinds of threats.
Implication: I did indeed change my passwords and added 2FA to my accounts. I also changed passwords for all of my accounts (something I admittedly was supposed to do at the beginning of the year but hadn’t “gotten around to yet”). So, for me, this was a kind of wake-up call to stay up to date with my cybersecurity — be more proactive. But how many people actually do this immediately when they were first aware of the issue? There isn’t as much impetus to safeguard our digital security — is it because it’s not as tangible as our physical security? Something I’ve thought about is how can we develop a visual footprint of our digital security so we have an idea of how much data we actually have that we should safeguard. This data after all can be just as valuable and have as much, or even more impact, as any physical entity.
