Private details of 2.5 MILLION PlayStation and Xbox users are leaked in major hack that is only now being disclosed. The Guru reached out to several cybersecurity experts for their thoughts on this breach.
Robert Capps, VP of business development at NuData Security:
“The recently disclosed data theft from the unofficial PlayStation and Xbox forums is yet another example of the need for consumers to be wary of who they provide their information to, online. While this site is mostly used to distribute pirated copies of games, DVD’s and BluRays, consumers who use the forums need to make sure that they are vigilant. Keep alert to any phishing scams that may appear in email as a result of this hack, changing passwords on any site where the passwords or usernames used on these sites are used. This data is likely to be sold on the Dark Web and used for future cybercrime. It’s a good reminder to choose unique passwords on all sites that require registration.”
Kyle Wilhoit, senior security researcher at DomainTools:
“First, we have to keep in mind that this breach is not of the Playstation network or XBox Live network. This was a breach of two forums that accounted for 2.5 million accounts. This breach only occurred to players who also accessed the two breached forums, and it’s not clear if the breach included actual Playstation and Xbox account information. There are still a few things that need to be done to prevent more widespread damage. If you accessed these forums and re-used your passwords across multiple platforms, change your password. If you’re re-using your password in more than one place, don’t. If you’re not using two-factor authentication on everything possible, use it. (And yes, Playstation and Xbox networks and services have two-factor authentication support.)”
Lee Munson, security researcher at Comparitech.com:
“Leaving aside the ethical questions surrounding gaming websites with ‘ISO’ in their names, the recently publicised data loss at Xbox and PlayStation forums highlights both the frequency with which customer information is stolen and the tardiness of some sites in reporting such an occurrence.
“Depending on the nature of any personal information that has been taken, any potential damage will already have been done in the form of identity theft, further account compromise, phishing attacks or targeted scams.
“Therefore, the advice to change passwords, both on the forums in question and elsewhere, is sound but quite possibly too late.
“Moving forward, everyone should consider their password security, ensuring they never use the same credentials for more than a single site while also making them strong, i.e. long, not words found in a dictionary and consisting of numbers, letters and symbols.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Xbox and PSP users are going to be a pretty tech savvy bunch with accounts for many different services. As breach after breach has shown that using the same username and password for multiple sites is a bad idea, you would have to imagine this group would have gotten that message by now. When you see a dump of passwords hit a much less techy site, you can be sure that huge numbers of the victims are going to have to go around changing their credentials on the many sites where they foolishly used the same details over and over. If the Xbox and PSP crew haven’t learned that they can’t use the same email and password on every service by now, then likely it is game over for their personal data.”
Mark James, IT Security Specialist at ESET:
“Hacks like these are quite common where data has been stolen and the victims are only finding out months or even years later. Scams and phishing attacks will try and use the valuable data to entice even more information from the unsuspecting user; that info is tested, stored and often will be used for identity theft purposes. Quite often people using seemingly low security websites don’t enforce good password security because it’s not a financial target, but all data has a value and will be reused for other purposes. Every website should be treated as unique and require different passwords with a mix of usernames if possible.”
Javvad Malik, IT Security Advocate at AlienVault:
“Gaming forums have been a favoured target in recent months. Typically they have weaker security, so it is easier for attackers to gain access to the passwords. Attackers rely on the fact that most users will reuse the forum password on other sites.
While user education into the dangers of choosing easily-guessed, or re-using passwords should continue, companies need to evaluate all their digital assets equally from a security perspective. There is no such thing as a ‘low priority’ public site wherever a user account resides.
Secondly, these attacks highlight the importance of effective security monitoring controls that can help detect threats underway in a timely manner. In this day and age, discovering a breach over a year after the attack is an eternity.”
Lee Munson, security researcher at Comparitech.com:
“Leaving aside the ethical questions surrounding gaming websites with ‘ISO’ in their names, the recently publicised data loss at Xbox and PlayStation forums highlights both the frequency with which customer information is stolen and the tardiness of some sites in reporting such an occurrence.
“Depending on the nature of any personal information that has been taken, any potential damage will already have been done in the form of identity theft, further account compromise, phishing attacks or targeted scams.
“Therefore, the advice to change passwords, both on the forums in question and elsewhere, is sound but quite possibly too late.
“Moving forward, everyone should consider their password security, ensuring they never use the same credentials for more than a single site while also making them strong, i.e. long, not words found in a dictionary and consisting of numbers, letters and symbols.”
Paul Calatayud, CTO at FireMon:
“The recent hack and subsequent leak of personal information on the Xbox and PlayStation networks is a great reminder to continue to ensure that as a consumer you are aware of what information you are putting out there on various platforms. As a good practice, I always divide my personal information into three major areas with different degrees of expectations, controls, and password complexities for each tier. The three are: banking, e-mail, and social media.
The category names are not as important but within financial / banking:
– each website has a strong password unique to only that site with two factor whenever it’s offered. These accounts will not be accessed while on wifi networks or devices that I do not own.
E-mail: e-mail often is treated without full understanding of its importance; less for its content and more so because it often aids re-establishing trust in all your accounts via password rest workflows. For email you should have
– unique passwords
– two factor authentication
– force https and can access over public wifi.
The last one is social media.
This is probably where I would put my Xbox or Sony account as far as treatment.
The point is to ensure when social media accounts are compromised, because it’s a matter of when not if, your upper tier accounts are not also compromised as many people will re-use passwords across their systems.”
Amichai Shulman, CTO and Co-Founder of Imperva:
“If there’s one thing we learned in 2016, it is that breaches can go undetected for years. Troves of data apparently compromised as long ago as 2012 popped on the Dark Net in 2016, which likely means that at least some of this data has been circulating through the Dark Net for years. This latest revelation of the breached forums, ‘XBOX360 ISO’ and ‘PSP ISO’, from 2015 teaches us a couple of things:
Attackers are still ahead of enterprises, even the larger companies, when it comes to covering their tracks. The alleged breaches were only detected once the leaked information surfaced on the web.
In these mega breaches, time is still a factor. While the passwords were not leaked in clear text, the time between leakage and detection allowed the attackers, using modern computing power, to crack most of the passwords. If the enterprises had promptly detected the breaches a lot of the potential damage could have been avoided.
As discussed in our blog, we can expect these “ghost hacks” to continue to haunt us in 2017, and likely in even bigger numbers than we’ve seen so far (in terms of incidents, not in terms of records). While enterprises should attempt to avoid exfiltration of sensitive information– especially when the attack is entirely from remote sources. And while ideally we’d catch these attacks in real time, if we focus on “timely detection” where we identify the breach in a few days or even a month later, it is still better than three years.”
Resources:
http://blog.imperva.com/2016/12/3-trends-it-security-pros-need-to-think-about-going-into-2017-and-what-to-do-about-them-.html