8.4 Billion Passwords Breached: Are you sure the customer you’re emailing with is really your customer?

Most financial companies consider their own security, ever-vigilant for attacks on their own systems, but data breaches taking place everywhere else still create new risks to deal with. What happens if those around you are severely compromised and nobody knows?

Will LaSala, the Director of Security Solutions at OneSpan, saw a giant red blip on the radar last week, the largest compilation of leaked passwords in history. A file containing 100 GB of 8.4 billion passwords appeared on a popular hacker forum.

Need your merchant to send you their bank log-ins to set up ACH payments? That is exactly when hackers can get you, LaSala said. LaSala said that these leaks have become more common this past year as the world became digital-first.

“So passwords are really a weak form of authentication, right? If you’re using a password today, you’re asking to be hacked,” LaSala said. “With this breach alone, it’s probably close to 25 billion credentials that are out in the dark web today.”

Dubbed ‘RockYou2021,’ it’s a shocking breach of collected data, even larger than the 3.2 billion email and password combinations leaked in February this year.

There are only 4.5 billion internet users, according to Statista, so that’s a lot of passwords. The only way to stop the steal is to get ahead of the blistering rate algorithm tech is evolving through multi-factor authentication, LaSala said. Many believe their passwords are safe, he said, because just five years ago they were unbreakable. Some of these now can be cracked in seconds.

“We saw the death of an [encryption] algorithm called DES about six or seven years ago now,” LaSala said. “Very soon after that, we saw the death of the next algorithm, which was called triple-DES. People did not believe that those algorithms could be cracked in the amount of time that it was.”

LaSala said that ultimately, without multiple factors, data is easy to take. Some hackers don’t just steal data or finances the moment they get access to it either, LaSala warned, but instead dig deep into systems for years, even decades. There, they may steal data quietly undetected or focus on installing backdoors to ensure their access is permanent.

Perhaps many financial companies are already monitoring for this type of intrusion, but what to make of the possibility that their customers have been compromised? How do they know that they’re even communicating with their actual customers? They could do well to advise their customers to use multi-factor authentication in everything else they do online, not just with them. It would probably be to everyone’s benefit.

“The ability to use something you have like a mobile device, plus something like a pin, or even a fingerprint or a base ID, you combine those different factors of authentication together, and it makes it so that breaches like this, you’re not going to get caught up in anymore,” LaSala said.

Kevin Travers was a Reporter at deBanked.