Ben Canner | Solutionsreview.com
A yet-unknown hacker yesterday exposed nearly 2 million (1.9 million) user records stolen from online photo editing application Pixlr. The stolen data, including email addresses, login names, and SHA-512 hashed passwords, was leaked onto a hacker forum.
Obviously, the fallout from this attack could prove devastating. To find out what enterprises can do to secure their users’ identities, we reached out to multiple cybersecurity experts. Here’s what they had to say about the Pixlr exposure.
Expert Commentary on the Pixlr Data Exposure
Nathanael Coffing is CSO at Cloudentity.
“With hundreds of thousands of user emails and login credentials exposed in this breach, users are at great risk of credential stuffing and/or phishing attacks. It doesn’t take much for bad actors to cross-reference the compromised data with previously breached records and create accurate profiles of the breach victims. Hackers already have access to previously stolen data on the dark web, which allows them to easily weaponize this free information for their own malicious gain and target users’ financial or healthcare information.
To avoid future database breaches of a similar nature, organizations need to implement strong methods of secure authorization for all users. To ensure sensitive information is safeguarded, enterprises must implement continuous contextual, fine-grained authorization on the API level, in addition to multi-factor authentication (MFA). By taking these proactive measures to authenticate users and protect their data, organizations can avoid data breaches and the negative consequences that come along with them.”
Anurag Kahol is CTO at Bitglass.
“Now that millions of user records are circulating on a hacker forum, threat actors can easily leverage the information for highly targeted phishing attacks and identity theft. Additionally, it’s concerning that login credentials were included amongst the compromised information, particularly because reusing passwords across multiple accounts is a common and unsafe practice. This means that if a cyber-criminal gains access to a user’s password, she or he can potentially use it to gain access to other accounts belonging to that user across multiple services.
While end-users are encouraged to diversify passwords across their accounts, most are slow to change their habits, which has implications for enterprise cybersecurity. Consequently, organizations must proactively defend their data against leakage and authenticate their users to ensure that they are who they say they are. Organizations can enforce real-time authentication and access control as well as manage the sharing of data with external parties through robust and flexible solutions such as multi-factor authentication (MFA) and data loss prevention (DLP). With these solutions in place, companies can maintain full control over sensitive data, while ensuring the privacy and security of their users.”
Saryu Nayyar is CEO of Gurucul.
“While the revelation of details on almost two million Pixlr user accounts did not include financial information, it did include password hashes and enough information to be valuable for an attacker to launch carefully crafted spear-phishing attacks, or a cast-netting attack against the Pixlr user base.”
Robert Prigge is CEO of Jumio.
“Pixlr’s breach, which exposed usernames, email addresses, and hashed passwords, puts 1.9 million users at risk of being victimized for fraud. Cyber-criminals can use this breached user data to access accounts set up with this information (including banking portals, social media accounts, healthcare sites, and more). Simply resetting passwords is no longer an efficient method to keep user accounts safe. It’s time online businesses stop relying on usernames and passwords to protect accounts. Instead, organizations can implement a more secure alternative like biometric authentication (leveraging a person’s unique human traits to verify identity), which allows online organizations to confirm the authorized user is the one logging in and ensures their personal data is safe from malicious actors.”