It's a rare day that I'll mention a specific data breach...well, unless it's Equifax, Yahoo, or possibly the PlayStation Network. Ok, so it's not all that rare, but let's toss another one on the fire for good measure. Are you using MyFitnessPal? I am, and as of this past weekend, (I've been made aware that) my data has been compromised. Again. Again again. Maybe again + 3. It's honestly hard to keep track at this point. Maybe I'll get another offer of a free year of credit monitoring. At this rate, I'll have enough years stocked up to last a lifetime.
But this one's big: 150 million usernames and passwords compromised. Remember the statistic on credential recycling? It's 73% these days. So let's do some extrapolation of data:
Based on US Census estimation data from 2017, the US population above age 18 is 252M. MyFitnessPal is only available to users ages 18 & up.
Total number of accounts compromised: 150M.
Assuming roughly half of the compromised users are US-based, that puts 30% of US adults at risk, and 73% of those users have recycled their credentials, or roughly 22% of adult users.
For every 5 employees in your organization, 1 has had their work credentials compromised through this latest attack. Oh and the attack was in February, so those credentials have been sitting on the open market for over a month.
It's worth noting that MyFitnessPal strongly urged all users to immediately change their passwords, but they made no mention of "and if you've used those same credentials elsewhere..." So right now your 1 user in 5 might be changing their password on the system where they log their potato chips, but oblivious to the damage their credentials could be doing to your business. Because it just takes 1 compromised credential for an attacker to get a foothold.
With access to just one mailbox, an attacker can masquerade as a trusted internal sender, bypassing most anti-phishing technologies. And that's a best-case scenario. Once connected, the attackers have access to your corporate address book, which they can cross-reference with public credential lists to gain additional accesses, always probing to find more footholds and more access. Without the appropriate security controls in place, statistics say the bad guys will have access for 99 days before they're even noticed.
So let's go back to the crux of this guy: 1 user out of every 5 in your organization took the credentials you entrusted them to keep safe and used them to keep track of their gym resolutions, and now those credentials have been in the hands of attackers since around the time the treadmill started collecting dust.
Now, if you're an Azure Active Directory Premium user, you're probably not as concerned about the risk. With multi-factor authentication in place, those compromised credentials aren't worth a whole lot: your users will get a prompt when the bad guys try to log on. And if you've set up Azure AD Identity Protection, you already know whose credentials have been exposed because you're getting notified of the spurious logon requests. Cloud App Security customers are seeing those credential attempts against connected services.