No doubt by now you’ve heard the disastrous story of the Equifax breach.
We know the following facts: Equifax, a large credit reporting company, discovered a flaw in the Apache Struts framework for its for its online U.S. dispute portal on July 29. The company announced on Sept. 7 that attackers had obtained access to the personal data of up to 143 million U.S. customers. The data include social security numbers, names, addresses, birthdates, and credit card numbers and drivers licenses in some cases. Equifax customers are piling on a slew of slew of class-action lawsuits, and multiple top Equifax executives have resigned as the company scrambles to show transparency and alleviate concerns.
Our publication discussed the immediate lessons that businesses and their partners can take out of the Equifax data breach earlier this month, but more and more analysis has become available to us in the weeks following the initial announcement. Several data and security experts spoke to us about the long-standing repercussions of the breach and the implications for small businesses and the technology advisers who support them.
Members of the Comodo Threat Intelligence Lab discovered Equifax customer and non-company system employee credentials being sold on the dark web. Attackers had infiltrated the Equifax portal with upgraded pony exploit malware that takes a snapshot of the login information to steal some of the information. The Comodo team says it also discovered passwords for non-company systems like LinkedIn and DropBox that contained corporate email addresses.
There are two main points of concern that Comodo raises.
The first is that many of the stolen passwords were too simple. The passwords tended to lack the proper length and variety of uppercase and lowercase letters.
Carlos Solari, Comodo’s vice president of cybersecurity services, says most companies consider a password’s length acceptable if it reaches 12 characters. Solari says this number should be closer to 24.
“You don’t necessarily need the complexity of asterisks and pound [signs] and lots of other kinds of less used characters, but length is the most important,” he told Channel Partners.
The simplicity of the passwords first means that they are easily guessable, but it also means the users are likely recycling those credentials.
“That’s normally indicative of people who are using the same passwords on many different systems,” said David Liff, Comodo’s vice president of marketing. “Hackers out there would have known that and would have used these identities to try to work out [how many things] they can get into.”
The users whose other account credentials resemble theirs for Equifax are in further danger of theft. And the ability of a threat actor to …