The mega data breaches at LinkedIn, Adobe, Tumblr, and MySpace allowed hackers to obtain vast numbers of email addresses and passwords. Now that the data have been listed for sale online, users of these websites are at risk of having their accounts hacked. In total, more than half a billion email addresses and hashed passwords have been leaved over the past few weeks.
All of these websites are now alerting users to the breaches and are invalidating passwords for affected individuals. Other websites have also followed suit, even though they have not experienced a data breach. Netflix has recently started sending emails to its users telling them that their passwords have been reset. Facebook has also taken the decision to force some of its users to update their passwords to prevent accounts being accessed by unauthorized individuals.
Facebook and Netflix are aware that cybercriminals in possession of the dumped data will attempt to use email addresses and passwords on other websites. The proactive step was taken after the sites determined that a number of victims of these recent data breaches had reused the same compromised password for their Netflix and/or Facebook accounts.
Netflix told some of its users “We believe your Netflix account credentials may have been included in a recent release of email addresses and passwords from an older breach at another company,” while Facebook sent a message saying “Recently, there was a security incident on another website unrelated to Facebook.” The message goes on to say, “Your Facebook account is at risk because you used the same password in both places.”
It is probable that many other websites will also force password resets on accounts for users that have used the same password for their LinkedIn, MySpace, and Tumblr accounts.
Checking for password sharing is a fairly straightforward task. If a list of passwords can be obtained, a site can use its own algorithm to hash the passwords and can compare them to the hashes it has stored on its servers. Any that match that also correspond to the same email address, mean the same password has been used for both sites. Those specific accounts have the passwords invalidated and notifications can be sent to the users to reset their passwords.
Now is a good time to ensure good password management practices are followed. Employers should also take the time to remind employees of password best practices and about the danger of reusing or recycling passwords.