During the very first session I attended at Enfuse 2016 — Public Information Gathering and Social Engineering: Low Tech, High Reward, presented by Ken Pyle, partner with DFDR Consulting – I was blown away by how easy it is to gather personal information and gain access to a network. In another post, I will go more in depth about how companies are unwittingly sharing everything a bad guy needs to get into your system, but today, I want to tie one of Pyle’s comments with something that is currently in the news.
As he spoke about the ways we leave traces of information behind for hackers to find and use, Pyle mentioned MySpace, calling it a gold mine of information for thieves. Yes, the social media site has all but disappeared from the social networking consciousness, but the site itself didn’t disappear. Neither did all of that information that users once shared with the same vigor they now share on Facebook, Instagram and other sites. No one ever deletes their stuff, Pyle told the audience. Mostly, we forget that it is even there.
The bad guys haven’t forgotten, though, and chances are good they’ll find that treasure and use it to their advantage.
It didn’t take long for Pyle to prove prophetic. Shortly after returning home from the conference, I discovered that MySpace was among the social media sites to be breached. And, according to eSecurity Planet:
The Myspace data includes email addresses, user names and passwords. In a separate article, Motherboard notes that the Myspace breach appears to be the largest theft of email addresses and passwords in history.
Now, as a CNET articled pointed out, if you changed and strengthened passwords since 2013 and didn’t include too much PII in your profile, you should be okay. But I suspect that a lot of MySpace passwords and user name combinations have been migrated to other accounts. Despite knowing the dangers of poor password management, we still aren’t very good at updating and changing passwords unless forced to. As Dodi Glenn, VP of cyber security at PC Pitstop, told me in an email comment:
The use of weak passwords and unencrypted database passwords still presents a serious security problem to individuals and companies alike, and it’s one of the top causes of data breaches. With username and password reuse, an individual may use the same email address or username and password on site A that they would use on sites B and C. When site A gets compromised, the hacker uses an underground tool to check other various sites to see if this account login and password combination exists elsewhere, not associated with MySpace.
As Craig Kensek, security expert with Lastline, told me, organizations should use this MySpace breach as a learning experience, as well as a signal to invest in newer technologies that will do a better job at protecting data from increasingly complex attacks