James Thew - Fotolia
The largest data breach of 2016 exposed more than 400 million user accounts and prompted a debate over password security best practices by experts.
The FriendFinder Network, which comprises a number of dating and adult entertainment websites like AdultFriendFinder and Penthouse, was attacked in October, leading to a breach of just over 412 million user accounts across six domains and exposure of customer account passwords, email addresses and IP addresses from a user's last login. The leaked data also included nearly 16 million accounts that appear to have been deleted by users but not purged from the company's servers.
Last month a hacker named 1x0123 on Twitter -- whose account has been suspended -- posted screenshots of AdultFriendFinder showing the exploit of a local file inclusion vulnerability allowing for an attacker to include files located elsewhere on the server into the output of a given application.
Of the more than 400 million FriendFinder Network (FFN) user accounts exposed, about 125.6 million had passwords stored in plain text and 282 million passwords stored using the obsolete SHA-1 algorithm, which companies such as Google, Mozilla and Microsoft have either stopped supporting or slated for deprecation.
Rick Holland, vice president of strategy for cybersecurity awareness firm Digital Shadows, said account takeovers, spear phishing and extortion are just a few of the risks that corporate staff could face from this breach.
"Exposed credentials from adult dating sites hold particular value for cyber criminals given their potential to extort victims. Most subscribers to these services want to remain anonymous and don't want their employers or families to know," Holland told SearchSecurity. "There would likely be a significant amount of credentials that could be leveraged for malicious purposes. Companies should proactively monitor for credential dumps relevant to their organization's accounts and be ready to force password changes in the event the credentials haven't been exposed in the past."
Other experts echoed the sentiment that enterprises should be wary of password security in the wake of such a massive data breach. Stephen Coty, chief security evangelist at Alert Logic, said enterprises shouldn't only focus on whether its own domain is found in the breach.
"This is a very good chance for companies to force a password reset," Coty told SearchSecurity. "You can download the data dump and match the company's email address domains, but then you might miss users who used their personal email and all using the same password."
Daniel Miessler, director of advisory services at IOActive, said users should be reminded of password security with all online accounts. "It may even go a step further with proactive account cracking and notifications to users that they need to make better passwords both on their site and everywhere else," Miessler said. "At this point the password weakness and sharing problem is a major internet security problem."
Amichai Shulman, CTO at Imperva, disagreed with the other experts and told SearchSecurity that forcing password resets could become onerous.
"If we reset passwords every time a large breach happens, we'll cripple day-to-day operations, so I wouldn't take that drastic of a step unless I suspected a good proportion of my enterprise users were affected," Shulman said. "A better approach is to send out a message to people to consider changing their password if they have a reason to believe they're affected."
The FFN's use of the obsolete SHA-1 algorithm to encrypt user data was roundly criticized, but experts disagreed on the value in websites being transparent about the encryption used.
"I think they should be transparent. It will force them to have to up their game," Coty said. "The down side would be that potential attackers would know what encryption you are using. But is that bad? [Hackers] might conclude it's not worth their time if it will take too long to get the encrypted data."
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said business partners and users should not be blind to the encryption used by others.
"Businesses and governments should be proud to state the levels of encryption and protections used to secure customer data. But, instead organizations are essentially admitting they are accepting lower levels of security and higher risk," Bocek told SearchSecurity. "Many businesses don't know if they eradicated all vulnerable SHA-1 certificates. Unfortunately, they'll learn a costly lesson when browsers finally stop trusting SHA-1 certificates in just months."
Shulman said transparency may not be helpful if users don't understand the technology.
"During all my time in information security business, I've never seen users avoiding sites that have weak encryption or obsolete digest algorithms," Shulman said. "Additionally, most users don't know what a digest algorithm is and why it should be used for password protection."
Miessler said transparency doesn't help if password security isn't a priority for an organization. "[Transparency] is unlikely to help. Any site capable of finding out and communicating their protection strategy is also capable of using strong algorithms," he said. "The issue in most cases is the company simply not prioritizing security, not hiring the right people, or not giving those people the ability to make the changes that need to be made."
An analysis of the passwords in the FFN breach by LeakedSource.com, which collects and analyzes breached data, found more than 2 million instances of passwords that were either a series of sequential numbers, QWERTY, QWERTYUIOP or the word "password." A number of experts said password security could be improved greatly with the use of a password manager.
"Users need to be trained and frequently reminded on how important this is. IT policies can be enforced to regularly change or update passwords," Stu Sjouwerman, CEO of KnowBe4, told SearchSecurity. "And a password manager eliminates the need to remember complicated passwords, making it easy for the user to stay secure."
Coty said users need to stop trying to remember complex passwords and stick to phrases.
"We need to start thinking phrases and password safes where we just need a master password," Coty said. " As a Cowboys fan, you might have 'Wh0 Misses D@n M@rino Number 16' -- wrong player and number, for a Cowboys fan and to add additional complexity convert the o to a 0 or an a with an @. Don't think complex passwords, hard to remember. Remember easy phrases from whatever movies, books, philosophers or political insults."
Bocek and John Bambenek, manager of threat systems at Fidelis Cybersecurity, said the industry needs to kill off passwords in favor of multifactor authentication.
"There are tools to require people to use strong passwords that could have been implemented," Bambenek told SearchSecurity. "However, we have noticed that the stronger the password requirements are, the better users get at evading controls. The password is the worst form of authentication ever used."
Learn more about retiring obsolete SHA-1 and RC4 cryptographic algorithms.
Get info on how to buy multifactor authentication tools.