Story image

Experts comment on record 772mil-user data breach

21 Jan 2019

Cybersecurity expert and founder of website Have I Been Pwned Troy Hunt broke the news recently that the largest ever database of breached login details have been leaked on the dark web.

Dubbed “Collection #1”, the data set contains emails and passwords with over a billion unique combinations of email addresses and passwords.

In total, the unique email addresses compromised in the data breach came up to over 772 million.

Users can check Hunt’s website, Have I Been Pwned, to see if their email address and associated password have been compromised in the data dump.

The data breach appears to have been retrieved from a collection number of different sources.

McAfee Asia-Pacific chief technology officer Ian Yip says, “This incident is somewhat unsurprising, given the number of attacks we’ve seen hit Australian businesses, employees and everyday people over the last couple of weeks.

“Hundreds of millions of people are still at risk of a multitude of vulnerabilities, which can be exploited by sophisticated cybercriminals who are driven by monetary gain.

"It’s prudent for citizens to act fast and defend themselves. With such a high volume of personal data being discovered, nobody can assume they haven’t themselves fallen victim.

"As an immediate next step, passwords need to be changed. If you have the same password across any account, device or app you need to make every single one unique, strong and never re-use it again. A password manager is a great option if you want to do this quickly.

"Once your password is in the hands of a cybercriminal, they can gain access to personal and even financial information by painting a ‘picture’ of you. This is yet another alarming wake-up call for people who do not place importance on their online privacy, security and data protection. Cyber resilience must remain a high priority goal for organisations and citizens.”

OneSpan security solutions director and security evangelist Will LaSala says, “This is a colossal breach. Those impacted should act fast to change any reused passwords, as the exposed credentials can be used by criminals in credential stuffing attacks to cause maximum damage across multiple other accounts.

“And with criminals trading assets in underground forums, data from this breach could easily be cross-referenced with information lying elsewhere to bypass authentication. For the more high-risk accounts like banking accounts, this poses a very real fraud threat.

“If this doesn’t highlight the need for security reach beyond the password, then not much else will. We should know by now that using a combination of multiple, layered authentication technologies gives companies, and users, the best chance.

“Banks especially should be upgrading their authentication procedures to more intelligent methods to mitigate the fraud risk in the aftermath of attacks such as this. This technology should combine multiple authentication techniques, whether that’s fingerprints, behavioural biometrics or one-time passwords.

Callsign CMO and go-to-market strategy head Sarah Whipp says this case is just another example in a long list of hacks which prove that outdated password is no longer fit for purpose.

“The Collection #1 database is just another nail in the coffin for the traditional password. Not even a ‘strong’ password can keep your data safe if it’s freely available on the dark web.

“While we have come on leaps and bounds in terms of biometric authentication technology which has helped improve the protection of our identities online, the ability to collect sufficient biometric data tends to be quite difficult and consequently, it is also not 100% secure.

GoCardless to double A/NZ team by end of year
With a successful E round of investment and continuing organic growth globally, the debit network platform company aims to expand its local presence.
NZ’s Maori innovators are on the rise
“More iwi investors need to recognise that these sectors will provide the high-value jobs our children need."
Phone ringing? This biohack wants you to bite down and ChewIt
So your phone’s ringing, but instead of swiping right or pushing a Bluetooth button you bite down on a tiny piece of tech that sits in your mouth.
How big data can revolutionise NZ’s hospitals
Miya Precision is being used across 17 wards and the emergency department at Palmerston North Hospital.
Time's up, tax dodgers: Multinational tech firms may soon pay their dues
Multinational tech and digital services firms may no longer have a free tax pass to operate in New Zealand. 
Spark’s new IoT network reaches 98% of New Zealand
Spark is the first company to confirm the nationwide completion of a Cat-M1 network in New Zealand.
WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.
Robots to the fore – Key insights for New Zealand Business into RPA in 2019
From making artificial intelligence a business reality to closer ties to human colleagues, robotic process automation is gearing up for a strong 2019.