By Robert McMillan
In the past month, hackers have taken over the Twitter accounts
of Facebook Inc. Chief Executive Mark Zuckerberg, Google CEO Sundar
Pichai -- and Twitter Inc.'s own CEO, Jack Dorsey.
Behind the scenes, security teams at every major technology
company -- and many smaller firms, too -- are scrambling to protect
others from the same fate.
Some of the executives apparently reused passwords that had been
stolen in earlier hacks of LinkedIn, Myspace and other sites;
others may have fallen victim to software that uses the old
passwords to guess news ones.
Nearly two billion old passwords can be viewed for as little as
$2 apiece at a database called LeakedSource, run by anonymous
operators. Investigators say 1% to 8% of the LinkedIn usernames and
passwords will work on other services, giving hackers a way to take
over accounts elsewhere. LinkedIn, meanwhile, reset its own users'
passwords and fixed a security hole that had allowed data to be
stolen in 2012. The company is in the process of being acquired by
Microsoft, a $26.2 billion deal that's expected to close by year's
end.
Hacking creates a dilemma for operators of other popular
consumer web services. They can require all users to change their
passwords, and risk losing some users. If they don't force password
changes, users' accounts could be hacked.
"If they change passwords for their users, no matter how well
they explain it, the perception may be completely off," said Alex
Holden, the founder and chief information security officer of Hold
Security LLC, which helps companies spot stolen credentials on
hacking sites. "If even 0.1% of these users panic and they have to
call customers service in one day, it creates a nightmare."
Carbonite Inc., which offers online backup services, chose to
reset passwords for each of its 1.5 million users. The company also
analyzed the hacked data and required customers whose credentials
appeared in the database to confirm their identities in order to
access their accounts.
Carbonite moved decisively because of the serious consequences
of a compromise, said Norman Guadagno, Carbonite's senior vice
president of marketing. "When you have a Carbonite account -- or
any backup service -- and you have the username or password to that
account, you have access to everything," he said.
Twitter, Facebook, Yahoo Inc. and others chose a different
course. Instead of resetting all passwords, they analyzed the
stolen credentials and then urged or forced affected users to reset
their passwords.
Combing through the data is time-consuming. Yahoo has one
billion users. Its security team began examining the LinkedIn
database on May 18. Some of the account names and passwords were
encrypted. Yahoo staffers had to decode the names and passwords and
look for matches with Yahoo's users.
Eight days later, on May 26, Yahoo emailed notes out to an
undisclosed number of affected users, telling them to reset their
passwords.
"There is a huge amount of frantic activity happening in
consumer businesses to keep our users safe," Alex Stamos,
Facebook's chief security officer, told a White House cybersecurity
commission at a hearing in Berkeley, Calif., in June. .
One pitfall of this approach: Users may ignore messages to reset
their passwords. Amazon.com Inc. Chief Technology Officer Werner
Vogels lost control of his Bitly Inc. link-shortening account after
ignoring a password-reset message, he confirmed in a Twitter
message.
The Twitter account of Brendan Iribe, chief executive of
Facebook's Oculus virtual-reality unit, was ripe for the taking
because he'd reused an old Myspace password, said "Lid," the hacker
who claimed to have taken over Mr. Iribe's account for a few hours
last month. Lid sent out several unauthorized Twitter messages,
including one proclaiming himself the new Oculus CEO. Lid declined
to provide his real name.
Large databases of usernames and passwords periodically become
available on black-market websites. In the past few months,
however, "the abuse of the data seems to be on the rise," said Bob
Lord, Yahoo's chief information security officer.
The high-profile Twitter users typically regained control of
their accounts within hours, causing them little damage beyond
embarrassment. But security professionals say reusing passwords can
expose corporate networks or the growing number of corporate online
services.
Corporations tell employees not to reuse their corporate
passwords on services such as LinkedIn or Myspace, but it is
impossible for them to check whether this is happening. That is
worrying, said Cormac Herley, a researcher with Microsoft Corp. "It
could be that some third party has a breach and I'm essentially
hostage to whether my employees reused passwords," he said.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
August 07, 2016 05:44 ET (09:44 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Mar 2024 to Apr 2024
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Apr 2023 to Apr 2024