Password and credentials related breaches

Passwords and credentials are coveted by cybercriminals, since they are the easiest way to penetrate security controls. This page lists some  breach incidents that are related to the misuse of credentials and passwordsl.

GoDaddy Case

A large domain company – GoDaddy announced that they had their servers breached in October 2019. The breach, which was discovered only later in April 2020, affected the SSH credentials of approximately 28,000 of the company’s customers.

All in all, it took the domain company 6 months to discover what went wrong. According to GoDaddy, a hacker broke into their network, bypassed their security controls, and obtained access to SSH login credentials hosted on GoDaddy’s servers. To remedy the situation, the company reset all the exposed credentials and offered 1 year free of charge of premium security services for the affected customers. The unauthorized party was blocked from the server, and there’s no evidence of the attacker tampering with files on the hosted accounts.

The incident happened due to an oversight in critical infrastructure security – SSH keys. SSH keys are a widely used secure remote login method with strong encryption. However, getting hold of an SSH key that grants root-level access often allows the attacker to hop from one environment to another without detection. This is possible, because the SSH key itself might be legitimate, even if the users isn't.

Learn why you should treat SSH keys like passwords and policy them accordingly.

World Health Organization (WHO) Case

In April 2020, WHO (World Health Organization) announced that some of the accounts of their employees were accessed without authorization. This case is not a breach per se, since the credentials used for unlawful access were part of a huge database of credentials collected from various leaks. However, some WHO employees had used the company login credentials on third-party services that were breached, and the hackers used the re-used information to gain access.

As a result, 450 active WHO email addresses and their passwords got published on public sites such as Twitter, etc. The attack did not put WHO systems in danger because the bad actor was not able to penetrate critical WHO systems.

Zoom Case

In early 2020, Zoom has announced that 500,000 stolen credentials from its servers were listed for sale. The news scared over 300 million users who were active on Zoom at that time. The investigations revealed that hackers collected the data from online crime forums and dark web supermarkets. Since people tend to re-use their login credentials, the hackers noticed that they could gain access to a lot of Zoom accounts simply by using the information found through other leaks.

Furthermore, Zoom emphasized convenience over security, meaning that options like multi-factor authentication (MFA) were not implemented.

Learn more about how to passwordless access could potentially prevent similar cases like Zoom and WHO

References

https://www.hackread.com/godaddy-data-breach-hackers-access-ssh-accounts/

https://www.forbes.com/sites/daveywinder/2020/04/28/zoom-gets-stuffed-heres-how-hackers-got-hold-of-500000-passwords/?sh=4eda2ea35cdc

https://www.who.int/news/item/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance