Livingsocial.com, the daily deals site was hacked last week, with details for over 50 Million accounts, including Customer Names, Emails, Birthdates and Encrypted Passwords being stolen. This event comes at a difficult time for the company, as they attempt a corporate comeback having recently received an infusion of cash from investors. No credit card or financial information was stolen during this attack, so this event raises several important questions; is there really a risk to those impacted? Did LivingSocial successfully thwart this attack since there was no financial loss? Is financial loss the best measure of these attacks, or should they be evaluated differently? Ahead of looking into these questions, let’s look at the current landscape of security events from similar attacks.
In the last 24 months the following companies have been hacked:
Company |
Date of Attack |
Number of Accounts Hacked |
LivingSocial |
4/2013 |
50 Million |
Evernote |
2/2013 |
50 Million |
|
2/2013 |
250,000 |
|
1/2013 |
undisclosed |
|
6/2012 |
6.5 Million |
Zappos* |
1/2012 |
24 Million |
RSA |
3/2011 |
40 Million |
*Financial information stolen
As customers of these sites, most users are nonplussed by these events, and simply change their passwords. In the attacks outlined above and in many cases, financial information is not stolen. So let’s peel back the onion a bit further and ask “what do hackers do with this information once it is captured?â€
In today’s “Internet of Things†no data is not on an island any more. In order to get a sharper focus on these breaches, it is important to get the right context. From a hacker’s standpoint this is a “big data†problem, so it’s all about getting another piece of the puzzle. It’s about slowly obtaining more and more information and building up a dataset of predictability and freshness that is accurate and ultimately can be sold as a package. If a hacker knows you used the password ‘Ninja’ on a given website and a recovered (hashed) password ‘Ninj**’ from another or multiple websites, this password can be easily decoded.
Hackers build profiles, which aggregate email addresses, logons, passwords and other information from multiple sources. They use this information to make assumptions about future activities.
While in and of themselves, any of these breaches where financial details were not obtained is not critical, as you can see, when you aggregate them together they can be used to form a highly detailed – and considerably more valuable – picture of you and your online habits, and ultimately, to gain access to your critical (for example, financial or medical) data.
So, the next time you change – or are forced to change – your password due to a security breach, you might want to consider how your information could be used in the public domain once it is no longer private.
Think in terms of all of your information. How would you structure your private information knowing a set of parties is intent on building a dynamic database that tracks you, with a perpetual interest in exploiting your personal information for their financial gain?
Don’t be sloppy and let these jokers get a predictive foothold on your future behavior. Strong passwords are always the way to go and, as the old adage goes, in this case variety is the spice of life!