Hackers recently used a common attack vector called SQL injection to get more than 450,000 usernames and passwords, allegedly from Yahoo Voices. The real shocker is the passwords were stored in plaintext. As one of the largest service providers responsible for millions of online accounts, Yahoo didn’t bother to store these user credentials in an encrypted manner. What were they thinking? Read the full story.
Remember, when hackers nab a username and password, it’s not just that specific account that’s at risk. Admit it – chances are you share the same password for multiple accounts. Some people use the same password for most of their accounts like Gmail, Kaseya, and PayPal; many are known to use the same passwords for their bank accounts too. And hackers use this to their advantage. They grab user credentials from one weak site, and then see if they’re the same on other sites. That’s how hackers are stealing cash from Best Buy online customers right now.
In a recent analysis of these Best Buy accounts, one in five had the same credentials for sites like LinkedIn and Yahoo on their main Microsoft account as well. Consider the risk if a hacker could access Microsoft assets like SkyDrive, TechNet, or the Microsoft Online Store. It would be disastrous if an adversary stole private files, software license keys, and more.
If all your staff use the same logon credentials for multiple sites (which they do, believe me), that opens you and your clients’ systems up to a lot of risk. You need to ensure you have the highest possible security for your accounts, because people are the weakest link in your safety measures.
Maybe some of your staff use the same credentials for Yahoo Voice as they do for your PSA. See how easy a breach could be? Imagine what would happen if a staff member’s account to ConnectWise or Autotask was accessed by an untrusted party. Think of the amount of sensitive customer information he would have access to. In any case, it’s surprising that Yahoo stored this account data unencrypted. But in many cases, even businesses that do encrypt data are using older techniques that can’t be trusted anymore. Our latest episode of Crack the Cred shows how easy it is to decipher poorly encrypted passwords once you do have the data.
So today’s lesson is never use the same password twice. And if you’re a business owner, demand that all staff use the strongest passwords they can and encrypt them with the best solutions you can get your hands on; make sure your staff use strong password solutions. That’s where we can help. Let's talk.