Cybersecurity Month will end on Halloween, but the byte-sized bogeymen will stay. Data breaches have been on the rise for years. And when it comes to companies, hackers like to play their own trick-or-treat game, demanding millions of dollars in exchange for access to their own data.
But there are ways to protect yourself against cyber monsters, ghosts and zombies out there. We collected some of the horrifying password stories and show you how you can prevent being haunted by hackers- on Halloween and any other time.
“Please hold the line”
Of all the things we hate doing, calling a customer service line must be in the top 5. It’s painful, wastes time, and you might end up with no solution. A true Halloween nightmare, as two people from our recent UX survey found out:
“My worst authentication experience? Being locked out then having to ring a it helpline. I was on hold for half an hour, then it took another 20 mins to sort it out.”
He doesn’t know it, but he was lucky. Sometimes, sorting out your login details can take days:
“I tried logging into my banking account once after I had changed my phone. I was trying to login using the new phone but it would not let me as my account was linked to the old phone. I had to ring the bank and was on hold for a very long time. They had to deactivate my account and send a code in the post. I could not access my bank account for several days.”
Return to sender
When the government is involved, things can get really complicated. One person sent us this spooky story:
“I got locked out of my government gateway childcare account. Then, I got a previous address wrong, so I had to provide notarised identity documents before they would provide me with a code to reset my password. I had to phone them to use the code. The whole process took 6 weeks!”
Are you using Google password manager? Then this story might give you goosebumps:
“I’ve had my phone sent off for repair and then it was factory reset. As many of my passwords are remembered by google, I couldn’t remember them. It was a bit of a nightmare as I’d forgotten my Google password too and had to go round in circles with my computer, then my email address…!”
No shop till you drop
This story is our hint to eCommerce: here’s a metric you might be missing.
“I have an account that is very strict about the password requirements to the point I never remember the password I selected. Every time I log into the account I have to change the password - it stops me from shopping on that website.”
If this eCommerce company knew their login prevents shoppers from buying, they’d reconsider their authentication options.
Cyberattacks or forgotten passwords are scary enough for an individual, but when hackers attack a business, the result often impacts thousands of people. Here are some of the frightening data breaches and how they could have been prevented:
Old Colonial Pipeline Attack
When a cyberattack leads to oil shortages across the East Coast of the U.S.A., things get scary. In May 2021, The Colonial Pipeline, the largest pipeline system for refined oil products in the U.S., suffered a ransomware cyberattack that impacted the computers managing the pipeline. According to a cybersecurity consultant who responded to the attack, it was caused by a single compromised password. It seems that an employee of the company reused the same password on another account that was previously breached.
The cybercrime syndicate behind the attack is appropriately named DarkSide. It stole nearly 100 gigabytes of data from Colonial Pipeline and forced the company to pay a $4.4 million ransom shortly after the hack to avoid disclosing sensitive information.
In the end, the police caught up with them: the prolific cybercrime cartel claimed that its servers had been seized by law enforcement and announced it would wind up its Ransomware-as-a-Service (RaaS) affiliate program for good. It is estimated that the gang stole nearly $90 million during the nine months of its operations. Scary stuff.
As a result of this incident, the U.S. Transportation Security Administration issued a security directive that requires pipeline operators to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours.
How could that have been prevented?
Industry experts say that 99% of compromised user accounts come from password reuse. Password reuse has become a widespread issue, with many people using the same password many times. Reusing passwords is problematic. Once a hacker has your credentials, they can effortlessly gain access to multiple accounts. That fact doesn’t seem to put many people off:
According to a Google survey, only 45% of Americans would change an online account password if they discovered it had been breached. And I.T.professionals aren’t better: they’re almost as likely (51%) as other individuals (49%) to share passwords with others.
The Ponemon Institute report found that 55% of individuals and I.T specialists would like to protect their accounts by a method that doesn’t involve passwords. Most individuals are looking for ease of use on top of better security. MIRACL can give you exactly that. It takes minutes to set up and seconds to log in.
Uber was hacked — again
Halloween came earlier than expected for the world’s biggest cab company: in September 2022, an 18-year-old hacker compromised Uber’s network. Together with a network called Lapsus, he set up a man-in-the-middle MFA portal and claimed to be from Uber’s IT department. It tricked an employee into revealing his authentication credentials.
How could that have been prevented?
Man-in-the-middle attacks are alarmingly common. Some experts estimate they make up roughly 35% of attacks that exploit cyber vulnerabilities. Hackers often drop in on a cafe or airport WiFi connection to make a quick score. MIRACL is resistant to all attacks, from man-in-the-middle to replay, credential stuffing, password spraying and phishing. No hocus pocus involved: Our zero-knowledge proof protocol means there are no vulnerable password databases from the authentication process.
Game company Rockstar, the developer behind the Grand Theft Auto series, was also a hacking victim this year. The hacker leaked footage of its unreleased Grand Theft Auto VI and claims to have the game’s source code, and is apparently trying to sell it. It looks like this data breach was caused by social engineering; the hacker gained access to an employee’s Slack account. They also claim to be responsible for the Uber attack.
In a statement, Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.”
How could that have been prevented?
Don’t assume you’re safe. Keep reevaluating your authentication methods and when new authentication technologies come along, adopt them early to stay ahead of threat actors. To us, that means letting go of the idea that passwords are a way to keep your business safe. According to LastPass, employees reuse a password an average of 13 times. Educate your team about the dangers of password reuse and give them tools to make it as simple as possible to keep all data secure. MIRACL provides single-step MFA in just two seconds, within the browser window on any device. One PIN and you’re in. That eliminates the need for more passwords and ensures your employees’ logins are safe.