By Mark Kane
June 6th 2016
In the world of cyber security there are two types of companies, companies that have been hacked and those that don’t know yet they have been hacked.
Social media giants MySpace and Tumblr in recent years became victims of cyber-attacks resulting in customer emails and passwords being exposed. In recent days more details have come to light as data sets reveal exactly how many emails and passwords were leaked and that are currently up for sale via dark web sites.
MySpace hack 2011
The MySpace attack in 2011 was one of the more serious hacks to have happened in the last 5 years. It is now revealed that nearly 360.2 million email accounts including passwords were stolen and now are online for sale at just $2800.
How were they hacked?
The passwords were originally “hashed” with the SHA1 algorithm, which is known to be weak and easy to crack. What’s worse, the company didn’t “salt” the passwords in the hashing process. Salting means adding a series of random bytes to the end of passwords before hashing them to make them harder to be cracked.
News site Motherboard spoke to a hacker called “Peace” and an operator from Leaksource, which is a paid hacked data search engine that claims to have the MySpace data, said it’s from a past, unreported, breach. They spoke via online chat and confirmed they had access to the leaked emails and passwords from MySpace.
To confirm that the list was authentic, Motherboard provided a few staffers emails to Leaksource that had MySpace accounts. Within a short time Leaksource came back with correct passwords for all accounts.
Tumblr Hack 2013
Last month Tumblr announced via their blog that in 2013 they had a breach and that a set of emails were obtained during the hack. Tumblr do stress that this hack did occur before the current owners Yahoo took over the company.
However what is not mentioned is exactly how many mails were stolen. Security researcher Troy Hunt, along with the help of Have I Been Pwned, were able to obtain data revealing over 65 million Tumblr accounts were stolen in 2013. The data shows both emails and passwords were taken during the hack. In this situation the passwords are safe because they have been scrambled, otherwise known as hashing. However, the emails can still be useful to scammers for phishing attacks.
It is unknown who exactly conducted the hacks on MySpace & Tumblr. Odds are we will never know which is very common when it comes to cyber-attacks. However, what is a worrying thought is that both MySpace and Tumblr for some time never knew they were even hacked until news of the leak came out. Also the level of security they implemented at the time for their clients data was weak and they left themselves vulnerable to attack.
Many organisations reading this may think “Well this won’t happen to us”. You may think because you’re not a house hold name like MySpace or Tumblr you’re safe from attacks, but sadly you will be wrong. Hackers do not care where they get the data from. From their point of view if they can get your data there will be a buyer somewhere.
Stories like this plus the hacks of LinkedIn and Sony in recent times will only continue to happen. As organisations that hold customer data, it is in your best interests and is your responsibility to set up a framework to manage data breaches.
It is impossible to say you’re 100% secure from cyber-attacks, but if you can show you’re doing all that is possible to prevent an attack - and more importantly prepared to deal with an attack when it happens instead of finding out months later - then this will not only add value to your company but add confidence and reassurance to your clients.
What can you do?
The only thing you can do is be proactive about cyber security. By installing a framework that provides you with a system that helps manage issues like these is the only way to prevent your organisations brand being damaged by a data breach. ISO 27001 gives you that framework.
ISO 27001 is the globally recognized standard for information security. The current version of ISO 27001:2013 provides a set of requirements for an information security management system (ISMS) . To be certified for ISO 27001 you will need to be audited by an external company. The benefit of being audited externally provides additional validation to your clients that you’re taking IT Security seriously and transparent about how you conduct your company IT operations. Being certified with ISO 27001 will show your clients both current and future your organisation takes information security seriously and you’re prepared to manage and potential cyber-attack.