If you don’t change the locks, we all have the key.

‍

When breach data leaks into the public domain, it never leaves. You must replace those passwords or tokens wherever they are used. Consider changing email aliases, attackers will continuously brute force credentials.

‍

The leaked data can be a treasure trove of open source information for an attacker. Even if an email appears without the password, or a seemingly irreversible hash of a password, all these data points can be used to target organisations. The findings range from PII (full name, address, phone number), bank records, hashes, or more specifically email addresses with exposed or weak password combinations. 

‍

As many organisations use Single-Sign-On, and many people carelessly recycle passwords across applications, some of those leaked credentials may still be valid. It is crucial to reset ALL passwords after any confirmed security event. And it is best-practice to perform password resets at a set interval and enforce long passphrases. A brute force attack that uses known password hashes against your web application is the perfect example of breached data leading to malicious access.

‍

Checklist

Follow this checklist to improve your cyber security:

1. Identify potentially leaked credentials: Regularly check reputable sources for lists of leaked passwords and tokens. Compare them against your organisation's accounts to identify potential vulnerabilities.
2. Promptly replace breached passwords or tokens: As soon as you identify any leaked credentials belonging to your organisation, replace them wherever they are used. This includes all associated accounts, services, and systems.
3. Implement Multi-Factor Authentication (MFA): Enable MFA for all critical accounts, especially for those that have experienced breaches in the past. MFA adds an extra layer of security and reduces the risk of unauthorised access attempts.
4. Monitor compromised accounts: Keep a close eye on accounts that have been breached in the past. Implement additional monitoring and logging to detect any suspicious activities or login attempts.
5. Respond to suspicious activities: If you notice any unusual or suspicious activities related to compromised accounts, investigate and respond promptly to prevent further damage.
6. Educate users about password hygiene: Train your users on creating strong and unique passwords, the dangers of password reuse, and the importance of promptly updating passwords when required.
7. Consider email alias changes: In cases where attackers might be targeting specific email addresses, consider changing the user's email alias to add an extra layer of protection against brute force attacks.
8. Regularly review access logs: Monitor access logs for all critical systems and services to identify any unauthorised access attempts or suspicious patterns.
9. Restrict access based on the principle of least privilege: Limit user access to only what is necessary for their roles. This minimises the impact of a potential breach and reduces the attack surface.
10. Regularly test incident response procedures: Conduct periodic drills to test your incident response procedures and improve the organisation's ability to handle potential data breaches.

‍

By following this checklist, you can better protect your organisation from the risks associated with data leaks and enhance your overall cyber security posture.