Imagine this: your entire business gets derailed by a string of just eight characters. Scary, right? Unfortunately, the constant barrage of password-based cyberattacks highlights the frightening ease with which cybercriminals can abuse vulnerable credentials and wreak havoc on businesses like yours.
Password attacks come in various forms, from phishing schemes that trick your employees into handing over their login information to underground markets where criminals trade stolen credentials.
Regardless of the method, once they have a valid password, these bad actors can do everything from stealing your data to taking over critical business systems.
Don’t believe it? Nearly half (49%) of incidents in Verizon’s 2023 Data Breach Investigations Report involved compromised passwords.
Notable password-related cyberattacks
Let’s take a closer look at some high-profile password attacks from 2023:
23andMe
Primarily known for its genetic testing and ancestry services, 23andMe disclosed that a hacker was offering to sell names, locations, and other data for half of its 14 million users.
This incident was traced back to credential stuffing, where attackers use stolen login information or guess credentials to gain unauthorized access.
Norton
While Norton is usually recognized for its antivirus protection, the company’s security was compromised due to a credential stuffing attack involving its own Norton Lifelock Password Manager. Norton revealed that nearly a million customers were affected, with data from 6,500 users being compromised.
Freecycle
In late August, the online charity that helps divert reusable goods from landfills sent out an urgent request for members to change their passwords.
According to a hacker’s online claim, the breach involved up to seven million accounts, with user IDs, emails, and hashed passwords being exposed. Freecycle said the attack might have started years ago when a server was left vulnerable, emphasizing the importance of changing passwords, especially if the same ones are used for other services.
Recovering from a compromised password security incident
While the specific steps for responding to a security breach will vary depending on the scope, there are some best practices you can follow to minimize the damage:
1. Issue a ‘Reset All Passwords’ directive
By blocking access to cybercriminals, you can prevent further consequences from the initial breach. This involves clearly communicating to all employees and customers the need to change their passwords immediately. To simplify this process for your employees, you can use a self-service password reset tool and reduce helpdesk calls.
2. Assemble an incident response team
If you haven’t already prepared for a cybersecurity incident, it’s time to gather the appropriate stakeholders and develop an action plan. This typically includes your IT department, legal counsel, and marketing communications teams responsible for informing affected parties. You might also need third-party assistance to conduct digital forensics and fully understand the attack’s impact.
3. Notify those whose personal information has been compromised
Effective data breach disclosure should be comprehensive, clear, and include next-best steps. Make sure you have answers to the most anticipated questions and provide simple ways for people to contact you for more information. Offer recommendations on how to safeguard their data, such as the password reset directive mentioned earlier.
Password best practices for 2024
Defending your business against password attacks doesn’t require reinventing the wheel. In many cases, companies just need to follow standard protective measures.
Start with education. Regularly train your employees in password security and make them aware of the risks associated with using the same passwords across multiple services.
Since cybercriminals may trade lists of previously compromised credentials, it’s also crucial to routinely monitor your business’s risk exposure.
Tools like Specops Password Policy, which continuously scans your Active Directory for compromised passwords, enable you to shift from reactive to proactive password security.
Passwords serve as the keys to some of the world’s most valuable information and systems. By implementing the right technologies and procedures, you can improve your chances of keeping those keys out of the wrong hands.
Article sponsored and written by Specops Software.
Don’t let your business become another statistic. Contact us to learn how ZZ Servers can help you safeguard your company’s digital assets and ensure a robust cybersecurity posture.