I previously wrote in another blog last year about the responsibilities companies have to protect their users when it comes to vulnerabilities and not just their own assets. Although not a continuation of that specific topic, I felt compelled to write this post due to the string of recent events and blame shifting I’ve seen in the news recently with Disney+, Ring, Nest, and so many others. It typically goes like this; There’s a breaking news headline about hackers breaching a service and gaining access to customer accounts. Shortly after, the company denies any such event and instead blames it’s users for reusing passwords that belong to another organization’s previous data breach. They wash their hands of it and move along. It should go without saying that this is bad publicity for the company involved, the users directly affected, and it also doesn’t look good when you’re pointing the finger at your new subscribers (*cough* Disney). While true there’s some fault on the user, the company also owns some responsibility in allowing it to happen, especially when it can so easily be prevented.
A technique known as Credential Stuffing is something we red teamers have been using since the beginning of time, but it’s recently gotten a lot of attention in the Cybersecurity community. Tools such as Snipr make it easy for an attacker to plug in a set of credentials and see what other services those work on, like your Netflix account. I’ve previously written some OSINT blog posts about the process of scraping public breach lists for credentials so I won’t do that today.
Although the adoption of password managers is growing, many people still reuse passwords on multiple sites. (Do you?) According to a recent report by Google, nearly 1.5% of all accounts belong to a public breach list. That doesn’t even account for the shared credentials that are not yet exposed due to a prior breach. Password managers don’t just make it easy to remember credentials, they make it easy to issue new ones on demand when you first sign up, as well. Most will now even tell you if one of your passwords are on a breach list due to reuse, which is great! 1Password, LastPass, KeePass, and others are great examples of this adoption. Even authorization services such as Auth0 are baking this in by default.