Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In October of 2017, Yahoo changed the estimate to 3 billion user accounts.
In May 2019, First American Financial Corporation reportedly leaked 885 million users’ sensitive records that dated back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork.
In March of 2020, CAM4 had its Elasticsearch server breached, exposing over 10 billion records. The breached records included sensitive information including full names, email addresses, sexual orientation, chat transcripts, email correspondence transcripts etc.
Breaches take many forms, often going after personal identifiable information, including credit card data and health records. These are directly related to identity theft. Unfortunately the fun does not end there. Breaches also compromise services by introducing ransomware that has shut down hospitals (half of US hospitals have shut down systems due to ransomware according to InfoSecurity Magazine) , municipalities (Lafayette, Colorado) and energy distribution (Colonial Pipelines).
What have we learned from all of this? Apparently not enough!!
Many of these breaches were the direct result of stolen credentials, most commonly user IDs and passwords. And a great irony is that some of the companies attacked were companies specializing in User IDs and passwords. I remember discussing User IDs and passwords as a compromise temporary means of authentication for the internet back in the 90s. Surely they were good enough for sharing information that did not include commerce or payments or banking; the 90s internet was mostly just that. But we’ve come a long way baby. Trillions of dollars are exchanged on the internet, every business transaction on the internet starts with establishing the identity of the customer, and user IDs and passwords generally suck because they have been stolen many, many times and are used to do great harm. The same is true of devices used for authentication.
The breach goes on….
More recently hackers went after the identity authentication company Okta. It has been reported that this breach occurred through a compromised account of a customer support engineer working at a contracted call center. Okta has now confirmed an attacker had access to one of its employee’s laptops for five days in January 2022 and that around 2.5 percent of its customers may have been affected. Leaked or stolen identity credentials yet again. The irony would be entertaining if it were not so distressing.
What do we do about it, what should all enterprises do about it?
There is a well-known bible verse that goes “When I was a child, I spoke as a child, I understood as a child, I thought as a child; but when I became a man, I put away childish things.” This is a great analogy for the internet.
When the Internet was a child back in the 90’s, it was ok to have weak authentication. Commerce and identity were not big factors. But the internet has grown to adulthood and continues to expand and envelop all aspects of the human experience. It is time to put away childish things. It is time to put away user IDs and passwords.
Authentication must rise to the challenge. Biometrics that cannot be stolen, liveness detection, physical ID verification and a network that does not create honeypots of billions of records that can be targeted and stolen. We have the technology to accomplish all of this today, not just the technology to authenticate with much higher veracity using credentials that cannot be stolen, but the ability to do it using a zero knowledge network that inherently provides the security and privacy that must be provided.
The breach must not go on!
Journey is here to help…..
Michael Frendo
CTO Journey