Leaked 1.4 billion credentials a risk to users and business

We wrap this week in the middle of December wrestling with the question of “How much risk aggregated data breaches pose to users and business?” While the database containing 1.4 billion plain text passwords discovered on the dark web has been widely reported, many folks are quick to jump on the HaveIBeenPwned (HIBP) train of thought and dismiss this database as an aggregation of well-known data breaches. Some folks are missing the real point and perpetuating bad thinking about risk management.

Founder and CTO of 4IQ, Julio Casal, wrote a great piece explaining “This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports.” Meanwhile, Troy Hunt, owner and operator of the popular breach notification service HaveIBeenPwned argues on Twitter, “There is nothing new here, someone compiled old data into a consolidated list and torrented it.” In a world where privacy is under constant attack and hacking tools are easy to access and use, a more nuanced conversation is needed to understand the risks that this interactive database poses to organizations.

Risk is not binary

A common use case for a breach notification service is alerting when a user’s email address has been found in a recent data breach. This is a low-level risk indicator, as it is impossible to tell whether the user’s password has been compromised. (Such is the case when using a service such as HIBP) This low-level indicator of risk does not provide a balance between user experience and security, if one intended to warn users based on this information alone.

As cyber security and threat intelligence companies continue investing in dark web research, big data science and artificial intelligence, new high value use cases emerge that help determine the degree of risk exposure to both users and organizations. Examples of this are Oracle’s recent announcement and SailPoint’s Identity Risk Score. In both cases, risk scoring calculations are used to enforce conditional access controls and adaptive security policies to better protect users, cloud applications, digital services and data.

“Simply put, the more bad actors and hackers who have access to the compromised accounts, the greater the risk of experiencing a data breach.”

In consideration of Level 1 risk (as shown in the figure below) it is understandable why Hunt would not want to import duplicate breach data into the HIBP database, as it simply adds no new value for the users of the service. For 4IQ, Oracle and SailPoint, having visibility into all the data from the dark web is valuable to understand not only whether a user’s email address been found in a data breach, but to what extent the user has been compromised. Simply put, the more bad actors and hackers who have access to the compromised accounts, the greater the risk (of experiencing a data breach) to the user and organization.

Credential monitoring & verification is the new breach notification

Modern cloud security solutions protecting against the leading cause of data breaches – weak or stolen passwords – are leaning towards credential monitoring and verification as a more precise way to prevent the abuse of compromised credentials. Having the ability to prevent logins using breached credentials is a transformation for most organizations, and fills a huge gap left by low adoption rates of 2FA and MFA solutions. For example, VeriClouds offers a free service to search the database of 1.4B leaked credentials, and APIs that allow an organization to verify whether a compromised credential (I.e., a username and password pair) is being used or not. (Disclaimer: I am the CEO of VeriClouds)

Additionally, adding the database of 1.4B leaked credentials expands an organization’s visibility into the degree of user-centric risk, and provides the tools to easier detect credential stuffing, phishing and account takeover attacks.

Darran Rolls, CTO of SailPoint, argues that “Appropriately managed passwords remain an effective and user-friendly way to secure an account or a service. It is however critical that everyone (and I mean everyone) minimizes the risk of dealing with passwords, by employing a closed loop system of governance that enables good password hygiene throughout the lifecycle of every account.”

“Credential monitoring and verification can be an unobtrusive way for organizations to mitigate risk as they continue to offer more services to their clients,” said Rohit Gupta, group vice president, Cloud Security, Oracle. “By incorporating breached credential data into the Oracle Identity SOC framework, we are able to elevate the risk of a transaction in real-time and prompt for additional information or outright deny access, without any human intervention.”

HIBP has enjoyed a good run as a leading breach notification service, but it simply falls short for many use cases needed by global organizations attempting to detect and protect against the abuse of compromised credentials. It is no longer enough to simply answer, “Have I been pwned?” Leading security practitioners assume a state of breach. Forward thinking organizations are already adopting advanced cloud security services that help answer the question, “How at risk are my users and my organization?”