Cyber Incident? Get Help

Credential theft: Protect your phone number like you protect your social security number

Featured Image for Credential theft: Protect your phone number like you protect your social security number

At the beginning of April, over half a billion Facebook users had their account details leaked online. Given that nearly 533 million accounts were leaked, roughly 1-in-5 users were affected, which means there is a 20% chance any Facebook account was compromised. Hackers reportedly scraped the data in 2019 and only posted the leak as a database online recently, making it free and easily accessible to anybody who wants it.

One of the most dangerous things about this recent breach is that it made everyone’s phone numbers identifiable and easily associated with email accounts. This is much worse than it appears on the surface and arguably worse than if passwords were exposed, rather than phone numbers.

The classic stolen email password attack

But let me start at the beginning; In order to understand the systemic risk involved, and start to illustrate the ways that attacking breaches like this are industrialized, let's consider the age-old stolen email password attack.

We set up servers to send a spoofed email to demonstrate a common tactic used by adversaries. This system is also unique because many fake corporate entities also point to these servers. This network is operated as a honeynet to lure in threat actors. A honeynet set up with intentional vulnerabilities and even fake, stolen credentials — a virtual trap. In this case, threat actors are criminals or bad guys looking to steal information or misuse systems to further act on similar objectives. Security researchers use honeynets to gather information about an attacker’s methods and motives.

The second the server was online and exposed to the internet, it was attacked using stolen credentials. I’m talking milliseconds. Hackers move fast.  

This indicates persistent and automated processes designed to constantly re-assess systems, just knocking on the door, waiting for a mistake in a configuration, or change in infrastructure to let them in.

Before we can explain why the Facebook hack was such a big deal, we need to explain what credential theft is and the techniques bad actors use to steal personal information. We will leave you with ways to check if you’ve been hacked and provide secure methods to protect yourself.

What is credential theft?

Credential theft is a cyber crime involving the unlawful attainment of an organizations’ or individual’s passwords. The goal is to access and exfiltrate critical data and sensitive information, usually through the use of malware, which opens the door to business email compromise and funds transfer fraud down the line.

Bad actors hack marketing websites and public listing sites to steal credentials. This can include the logins and passwords of past employees, third-party vendors, contractors, and more. The attackers then use these stolen credentials to infiltrate networks, install malware on servers or workstations and commit serious (and expensive) crimes. They are even automating this process on a large scale.

Email spoofing: Email spoofing is the creation of an email with a forged sender address. Criminals spoof emails in the hopes of duping the recipient (i.e., the victim) into thinking the email originated from a trusted source.

Malicious attackers look for open resources, which contain data collected from previous breaches. Threat actors use bots to find logins or email services that use passwords and logins for different purposes, automatically scraping those stolen credentials.

How does one login password combo leave people so vulnerable? People often set weak passwords, re-use passwords making multiple accounts accessible, use their business emails to get up private accounts, and forget to check if they have ever been compromised, potentially leaving them with decades of extreme exposure. Even passwords set years ago and forgotten can be used today to compromise new accounts

Techniques attackers use to steal your credentials

Cybercriminals have become incredibly sophisticated and specific when targeting organizations, their employees, and their users. It’s common for them to select networks or devices that hold large amounts of sensitive or confidential information, like financials or personally identifiable information (PII).

These are the main techniques cybercriminals use to steal credentials:

  • Phishing – sending emails that contain links to malicious documents or files requesting your password to view them

  • Malware – malicious PDFs or Word/Excel document attachments in emails that install hidden programs to steal passwords

  • Brute force attacks – finding login pages for email, applications, or social media accounts and trying every possible combination

  • Credential stuffing – using stolen password dumps and trying all the username/email/password combinations in those breaches to see if any work

  • Weak and default credentials – guessing things like “admin, admin” or “Admin, Password” to try to login to remote systems or VPNs

  • Application vulnerabilities – exploiting things like that let attackers bypass the log in all together and remotely access systems

The Facebook hack felt around the world

The bad actors who hacked Facebook didn’t just steal logins and passwords — depending on what was available, they stole Facebook IDs, full names, location, birth date, profile contents, email addresses, and phone numbers.

Your cellphone number has more privacy implications than revealing your social security number. Your phone number can tell someone everywhere you have ever been, who your friends are, where you do your banking, and even where you are right now reading this.

Why phone numbers matter

Chances are, you receive a lot of important notifications via SMS or iMessage on your phone. You may receive a text when your bank detects fraud, someone has accessed your email from a new device, or someone ordered food delivery from your account. Hackers can easily intercept your text messages without ever touching your phone — meaning you never see notifications of irregular activity or requests for approval.

When a threat actor has your number, they may be able to bypass SMS text message-based Multi-factor Authentication (MFA also known as 2FA). MFA immediately increases your account security by requiring multiple forms of verification to prove your identity when signing into an application. With MFA, users must also provide a digital token or code provided by a secondary device (often a mobile device) in the user’s physical possession to gain access to their account. But, if an attacker has your information, including your phone number, they can side-step these security measures entirely. These attacks are well known and even outlined in a recent article from Vice.

We recommend using a random token code app like Google Authenticator as MFA in conjunction with a password manager as the most secure approach to managing your logins. Instead of using your own phone number for signing up for social media, apps, and contact forms, consider a Skype number or Google Voice number instead.

How to protect your credentials

Check to see if your credentials have been compromised

HaveIBeenPwned.com has updated their search parameters to include phone numbers (in international format), so if you want to see if you were affected, please don’t forget to add the +1 for our US and Canada audience.

With breaches of this magnitude, there is some relative safety in numbers. Here are a few ways to defend yourself:

  1. Be aware and let your friends know too.

  2. Understand that every text message you receive needs to be treated just like an email. Don’t click links, and don’t assume it came from who it appears to have come from. Instead, use a secure messaging app like Signal. Try to migrate off of other platforms like SMS that are less secure.

Coalition policyholders receive third-party breach notifications automatically as part of their insurance policy at no additional cost. But we don’t collect personal cell phone numbers, so use the link above to understand if you’ve been impacted.

Get a password manager

While it may feel daunting to worry about the length, strength, and update-frequency of your company passwords — it’s necessary. Passwords need to be unique (don’t reuse passwords multiple times), strong (with a mix of letters, numbers, and symbols), and updated regularly.

Password managers help keep track of multiple passwords and generate new ones at random. They are essentially an encrypted vault for storing passwords that are protected by one master password. That way, if a threat actor gains access to one of your passwords, that password won’t be shared by any other account, so the extent of the compromise stops there. You don’t want someone to be able to access your bank accounts because they stole your social media logins, for example.

Request a Coalition Risk Assessment

If you’re concerned about stolen credentials related to your organization: We believe stolen credentials are so crucial we include them in our Coalition Risk Assessment. This report, powered by our robust security platform, collects hundreds of thousands of data points on security vulnerabilities related to your domain.

We've simplified this data into a document with personalized recommendations and easy-to-implement security measures. If there are any credentials related to your organization that have been compromised, you’ll see them listed in the CRA. Our list of breached passwords could indicate users who might be targets. Request a Coalition Risk Assessment for your business

Don’t become a target

We are seeing so many different attacks right now and watching the sophistication grow. The dangers are only increasing as ransomware becomes more prevalent and the ransoms get bigger. These threat groups see the profitability in stealing your information, and interest is on the rise.

For more ways to keep your organization safe and secure in 2021, download the Coalition Cybersecurity Guide.