Earlier this week, Gannett Government Media Corp released a statement saying that the personal information of subscribers to publications read by U.S. government officials and military personnel was stolen. The information included names, emails addresses, and – you guessed it – passwords. It also included zip codes, duty status, and paygrade when provided by the subscriber.
First of all, can we all just collectively roll our eyes again, bang our heads against the firewall, and ask why companies are still storing customer passwords in plain text in their databases? Have people not learned anything from the recent string of passwords stolen? Gannett Government Media Corp should be embarrassed. In the past two months alone, the hacker group known as LulzSec stole and released hundreds of thousands of user passwords. They also showed, as if we needed any further reminder, that most people still re-use their passwords for multiple accounts.
The Wall Street Journal recently ran an article discussing passwords. In it they quote a study from PayPal noting that “two out of three people use just one or two passwords across all sites, with Web users averaging 25 online accounts.” For those of you who think you’re safe because you have two passwords – one for your throw away personal accounts, and one for your “sensitive” accounts like online banking – think again. If your “throw away” password can access even one personal email account, you and your friends are vulnerable. From that account, an attacker can launch a spear-phishing attack against your friends or your co-workers. Most people use their personal email accounts at least on occasion for business purposes. If not from email, the attackers could use the password to launch attacks from your social networking accounts, like Facebook, where they can post malicious links in your name – how many of your friends would trust a link if they saw it posted from your legitimate account?
Secondly, we have a cyber attack directed at our military. That’s a focused and target rich environment for further infiltration and to obtain classified data. If there’s another important lesson we’ve learned from the recent news, it is that not all cyber attacks are one time instances. As in the case with the RSA breach, where data stolen was used to launch subsequent attacks on defense contractors months later, cyber attackers often plan multi-stage and long term campaigns. They use information stolen today to launch deeper attacks tomorrow. If thousands of military personnel passwords have been compromised, the possibilities for subsequent breaches is high.