A couple of weeks ago, we had a security alert at the office. A client had called to say that a member reported a breach of the association’s website. Employees at a member company had each received an email with an attachment containing their username and password. A quick check showed that the information in the attachment matched the credentials on the association’s website.
Yikes! Did we have a breach on our hands?
Turns out, we didn’t. After some research, we discovered that some employees who had received the email did not have accounts on the association’s website, so that could not have been the source of the information.
So what the heck happened? Or what the heck do we think happened?
The client (and Matrix Group) thinks that the credentials are from the 2016 LinkedIn hack where nearly 120 million accounts were compromised. Why do we think this? Because some staffers verified the credentials as being those they use on their LinkedIn accounts.
Wait, how could the credentials be on the client website AND LinkedIn?
Ah yes, you guessed it. Staffers were using the SAME credentials on both websites. In fact, staffers were (still are) probably using the SAME credentials on multiple websites.
So, for those who are not convinced, let me repeat the advice I’ve been giving for years now: Use strong passwords. Don’t reuse passwords. Just don’t do it.
When you reuse passwords, you compromise all of the accounts using that passwords when one site is breached. And with the rise of automated attacks, it’s just too darn easy for the bad guys to steal unprotected, unencrypted passwords and try them out on zillions of sites around the world.
So let me repeat this advice and add one more element: Use strong passwords. Don’t reuse passwords. Use a password manager to manage all this craziness.
Please share this blog post with your loved ones. Be safe out there!