The worst data breaches of 2013 took a different path that in previous years – instead of being all about scale, breaches became far more strategic. While the overall number of exposed records is down, the breaches that did occur were immensely important, creating a cascading effect of additional breaches, directly moving financial markets, and exposing source code and intellectual property.
Let’s start with some context. According to Privacy Rights Clearing House, overall breaches are down 27% compared to 2012, with a staggering 52% drop in compromised records. With the overall number of comprised records down, you could argue that the situation has improved. But this is far from what we have seen in the wild.
As is often the case in security, a decrease in volume only tells part of the story. The attack landscape is far from being tamed, with the same powerful motivations and malicious individuals very much intact. What has changed are the tactics, the methodology, and the trend toward more specialized attacks against higher-value targets. Let’s take a deeper look into the anatomy of the most interesting breaches.
Adobe – 150 million exposed account credentials leading to secondary breaches all over the Internet
You can’t tell the story of 2013 without Adobe, a breach unique in both scale and, more interestingly, the asymmetric ripple effects across the security landscape. First disclosed by Brian Krebs, the story brought us an official statement from Adobe, with research revealing more than 150 million user IDs with hashed passwords were stolen, including at least 38 million active users.
One of the many dirty not-so-secret secrets of our world is how frequently people use the same usernames and passwords across multiple sites. We immediately saw attackers pivot with the Adobe list toward compromising other web applications, user identities, and even credit information. In fact, major sites like Facebook and Evernote saw the risk, and advised their users to update their passwords immediately. The impact didn’t stop with just web applications, as many savvy enterprise risk management teams took the same steps. They have to be vigilant; these lists will continue to be a source of information for years to come, being loaded into attack toolkits, brute-force password cracking lists, and potentially for more nefarious activities like Spearphishing and other targeted compromise.
User information was not the only goal in this attack, and the bad guys were after something far more interesting and valuable: source code for many of Adobe’s products. Just as with the duplication of passwords across multiple sites, many organizations don’t keep their software patched and up to date. What that means is that a persistent attacker’s job becomes easier, with the source code potentially opening a new world of vulnerabilities and zero-day exploits against unpatched applications.
Check back tomorrow for more discussion of 2013’s Worst Data Breaches, including the use of social media and the news as an attack vector.