In spite of repeated warnings, end-users haven’t gotten the memo about the dangers of setting passwords that are ridiculously easy to guess, such as “12345,” and reusing those passwords across numerous websites. At the same time, companies are still falling short in their efforts to protect critical customer data. The result is a continued string of bad news for companies falling victim to credential-stuffing attacks.
Online Music Database Suffers Massive Breach
Last.fm, a website that allows users to explore other music sites and provides a platform for them to connect with like-minded music fans, was the victim of a significant cyberattack that exposed account credentials for 43 million users, the website Hackread reported.
The Last.fm hack occurred in 2012, but the usernames and passwords were just now leaked on the Internet, according to Hackread and the data breach notification site LeakedSource. Each stolen record apparently contains a username, password, email address, join date, and other internal data. The passwords were stored by Last.fm using unsalted MD5 hashing, a method declared "cryptographically broken and unsuitable for further use" by the Carnegie Mellon University Software Engineering Institute back in 2009.
What's more, the most commonly-used password on the site was “123456,” and the second most-popular password was “password.” Given all this, it’s no surprise that Last.fm caught the attention of attackers, since Account Takeover (ATO) attacks are the most common type of data breach today. With a thriving market for stolen user credentials on the darknet, ATO attacks can often prove very lucrative.
Dropbox Data from 2012 Breach Surfaces on Darknet
It also emerged this week that user credentials for 68 million users of cloud storage site Dropbox have surfaced on the darknet, where they’re available for sale. The Washington Post reported that, like in the Last.fm breach, the five-gigabyte data cache was originally stolen in 2012, but was just now offered up for sale. It was offered at a price of two bitcoins, which amounts to about $1,141.
While Dropbox was apparently aware of the breach when it occurred, the true extent of the damage only came to light this month. In this case, unlike in the Last.fm example, the passwords were reportedly hashed and salted, which should make them more difficult for attakers to successfully leverage. (This is the reason the sale price is so low, the newspaper reported, although with sophisticated enough tools, hackers could potentially bypass this protection.) Since the 2012 attack, Dropbox has instituted a multi-step user authentication process to try and head off similar events in the future.
Effective Methods of Fighting Account Takeover Address Both Phases of the Attack
A number of methods exist for safeguarding web applications and websites from ATO attacks, but many of these solutions fail to take into account the fact that such attacks actually come in two phases.
To succeed in an ATO attack, the attacker must first obtain a token (either a user’s session or a
user’s password.) Armed with either of these, the attacker can impersonate a legitimate user. Once the tokens have been gathered, attackers can either sell them or use them to commit further penetration of user accounts. When attackers leverage tokens to access user accounts, the ATO attack enters its second phase, the token usage stage.
Organizations searching for effective solutions for protecting sensitive user and customer data must choose security solutions that address both phases of ATO attacks. An emerging technology known as Runtime Application Self-Protection (RASP) offers the most comprehensive protection of this critical data.
Complex security solutions requiring skilled administrators to run, such as Web Application Firewalls (WAFs) often fall short, particularly given the demanding requirements of today’s rapid development cycles. RASP solutions offer detailed information about exploitable vulnerabilities targeted by attackers, and pinpoints those vulnerabilities down to the line of code. This allows developers to permanently remediate those vulnerabilities.
Want to learn more? Read our ebook detailing the current landscape of ATO attack threats, and the best practices for protecting your applications, your website, and your customers.