James Thew - Fotolia

Huge stolen webmail credential cache could drive use of 2FA

World Password Day seeks to promote multi-factor authentication as a security firm reports the discovery of a cache of millions of stolen webmail credentials

A report of a cache of millions of stolen webmail credentials could finally drive more widespread adoption of two-factor authentication (2FA) say security experts.

Google Gmail, Yahoo Mail, Microsoft Hotmail, Russia’s Mail.ru and some German and Chinese webmail providers are investigating a report by Hold Security of a discovery of a cache of 1.17 billion stolen credentials from numerous breaches.

The security firm was able to access the data in exchange for posting favourable comments on a young Russian hacker’s social media pages, raising some doubt about the authenticity of the data.

After eliminating duplicates, the security firm said 272 million turned out to be unique, while 42.5 million had never been seen before.

Before going public, the security firm notified the affected webmail providers, assuming that the remainder were  protected from having been previously identified as stolen.

Most credentials were from Mail.ru (57 million), followed by Yahoo (40 million), Hotmail (33 million) and Gmail (24 million).

Mail.ru told Reuters that it is checking whether any combinations of usernames/passwords match users’ emails and are still active, adding that initial checks found no live combinations of usernames and passwords that match existing emails.  

Yahoo and Google said they are investigating the Hold Security report, while Microsoft said the company has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access.

Password reuse a ‘danger to corporations’

Some security commentators have warned that, even if the username/password combinations are not valid, cyber criminals could use the email addresses for spam campaigns.

Jonathan Cran, vice-president of operations at crowdsourced security firm Bugcrowd, said each of the major providers have their own mechanisms for forcing account changes. This means it is likely most of these accounts will be deactivated or have a password reset forced soon. 

However, he said the discovery of such a large collection of stolen credentials once again underlines that the password alone is no longer a secure authentication mechanism.

“A breach in one provider can affect others, because of password reuse across accounts. Due to password reuse, this presents a clear and present danger to corporations,” he said.

According to Cran, because many users have the same personal and corporate password, corporations should look to determine if any of their users were compromised, and force a password reset.

Multi-factor authentication

Although each of the main compromised providers support 2FA, he said it is probable that most of the stolen credentials are associated with accounts that did not enable 2FA.

Estimates on Gmail have put the adoption at less than 10%, but looking forward 10 years, I expect 2FA to become widely used – perhaps ubiqutous – and this will be less of a problem. But right now, stolen credentials are a major issue for everyone,” said Cran.

David Melamed, senior research engineer at cloud application security firm CloudLock, said cloud services supporting multi-factor-authentication should be preferred.

“Using 2FA lowers the risk for a potential hacker to make a real use of the stolen credentials,” he said.

Melamed added that it is becoming vital for firms to monitor the dark areas of the web continuously, so they can ensure user accounts are not compromised and react in near real-time when they are to limit the damage.

Password security

World Password Day on 5 May is a campaign aimed at promoting the use of multi-factor authentication to improve online security.

“As we move more of our lives online, we need a more effective way to securely prove who we are,” said David Mount, director, security solutions consulting Europe at UK software firm Micro Focus.

“The answer could be using tokens, smartphones, biometrics, behavioural indicators, or a blend of these measures, and this will depend greatly on the sensitivity of the information or service being secured,” he said.

“But whatever the answer is for each particular security scenario, simply relying on a user to devise and remember a sufficiently secure password is fundamentally flawed.”

Jason Hart, CTO of data protection at digital security firm Gemalto, said World Password Day is a reminder for all organisations and customers that there is no such thing as a safe password.

“Static passwords all carry the risk of being hacked. Organisations need to look for alternatives to authenticate users and bolster security,” he said.

According to Hart, organisations have a variety of ways to authenticate a user. “But what is most important is for them to adopt a holistic security strategy that offers multiple layers of protection. This includes two-factor authentication, which is based on something you know and something you have, as well as encryption of data and proper key management.”

Credential theft a big threat

UK security firm Silicon:Safe, which develops hardware systems that prevent bulk theft of usernames and passwords, said the discovery of such a large credential cache by Hold Security illustrates just how big a problem credential theft is.

“The size of the cache highlights the fact that neither individuals or organisations can rely on conventional techniques, such as encryption or privilege, to protect against the theft of usernames and passwords,” said Will Harwood, founder and CTO of Silicon:Safe.

“The recent history of large-scale password breaches has demonstrated that these techniques have failed.”

He believes the solution is to put bulk password data “beyond reach” in a dedicated hardware-supported database that only allows data to be stored and compared, never revealed. 

“This makes it impossible for anyone – whether a criminal or a system administrator – to read the password database or extract passwords from it,” said Harwood. 

Read more about password security

Read more on Hackers and cybercrime prevention