Linkedin is still suffering from the major data breach four years ago that leaked 6.5 million encrypted user passwords on a Russian crime forum. That was just the beginning. The breach was not properly handled, and the hacker behind it is now selling 117 million email and password pairs on the dark web marketplace for five Bitcoins, equivalent to about 2,300 US dollars. Data breaches happen all the time, and they have lately gotten much bigger and bolder. Online companies most especially need to be more vigilant to protect their users from multi-fold attacks. Some companies like Netflix and Facebook regularly scan user profiles for re-used passwords that have been stolen in hacks. Users may not be too happy about having to swap out passwords, but security advocates are relieved that companies are making this pre-emptive move.
Password Reset
Many online companies have taken to alerting their users to the need to make their passwords unique and to change them frequently. Some of them are going a few steps further, spending resources to keep up with data leaks so that they can warn their users about any compromised passwords. They use the Scumblr tool, which has gotten mixed reactions for its use to dig through high-profile sites using keywords. They use Scumblr to check the leaks against their users’ credentials and send them notices when re-used passwords can put their accounts in danger. These companies have not been breached because they have better security practices, but users are in danger when they have the same passwords on other sites that are less secure.
Resetting a password used to go out as an alert or warning to the threat, but a few companies may be thinking about forcing a reset to protect their users. This is a hassle for many account holders, and many are not going to appreciate the extra work. But companies that will push through with this are actually putting users first. Compromised accounts can open a door for malicious hackers and lead to more breaches in an otherwise secure environment. Other users are in danger, and annoying a few for the good of all is a price they are willing to pay. Netflix recently sent out notices for re-used passwords on Linkedin because of the 2012 breach that leaked user passwords on a dark web marketplace. They sent out similar notifications to Tumbler and MySpace users who had the same passwords on their Netflix accounts. The company reset these users’ passwords automatically and simply notified them of the action.
Netflix posted a statement on KrebsOnSecurity about their practice of searching for re-used passwords, explaining that it has become a policy. Taking proactive security measures with the help of Scumblr and other tools and methods is important for user safety. Netflix does this for many types of security breaches, not only the big ones. Facebook also picked up the same practice, putting it to good use after the huge 2013 Adobe hack. This was done to protect its users from hackers or criminal buyers who would test username and password combinations on other websites like Facebook. Getting into other user accounts with a set of credentials helps attackers to broaden the hack and launch other schemes like fraud, identity theft and various scams.
It is important to note here that the focus should not be placed on these companies that are trying to secure their users. Just because they can learn if users are reusing passwords, it doesn’t mean that they are accessing those passwords. They can simply use a hashing tool that tells them if their users’ passwords match any of the ones that have been leaked. They don’t need to go and figure out which ones exactly. Some people might be concerned about this nonetheless, but we choose to focus on the fact that these companies are going the extra mile to help their users stay safe despite breaches at other companies that they have nothing to do with.