The first are the actors that will use the credential set to conduct broad, non-targeted attacks where they would attempt to gain access to social media and financial services using the leaked credentials. The second set of actors take their time and target individuals, or organizations they're associated with, in order to gain access to sensitive information and systems.
Don't blame the victim, but...
Many organizations alter the default Active Directory policies slightly, but this still leaves them with passwords containing 7-12 characters, which are comprised one uppercase letter, one number, and one special character, plus a 90-day expiration window.
Yet, most of the passwords used today are based on patterns and guessable logic. The workforce is trained to create weak passwords from the start, because organizations implement password policies that result in easily guessed or cracked credentials.
"Typically organizations set a password complexity and selection policy that requires users to choose passwords comprising of multiple character sets, have some sort of minimal length, and some restrictions as it relates to expiration and reuse. Essentially this really doesn't solve anything, as it relates to the problem of an average person not wanting to remember too many passwords, which leads to password sharing across multiple services," Barak said.
"I think the most robust way to approach this particular issue is to employ multi-factor authentication on sensitive services, and I think this is especially true for services that are internet accessible, such as Outlook Web Access, VPN portal, your ERP systems, or similar sensitive services."
The point, Barak added, was to ensure that the exposure of a user's password wouldn't be enough compromise their account.
Sadly, in many of the examples shared with Salted Hash, there was a direct relation between the compromised organization and the leaked LinkedIn account data set - so the username and password on LinkedIn was the exact combination needed to access the corporate network.
But even when there wasn't a direct relation, the information available from the LinkedIn list allowed some basic guesses that resulted in successful compromises. For example, if there was a mismatch with the network ID, altering it slightly to match public email addresses often worked (e.g. jsmith vs. john.smith).
Two-factor authentication wasn't a factor in any of the breach examples shared with Salted Hash. Again, this is because the compromised organizations didn't use such features.
GoToMyPC isn't the only service provider that's been targeted recently.
Earlier this month, Team Viewer users reported system compromises, and at least some of them admitted to reusing passwords. Last week, LogMeIn proactively reset accounts where it was determined a customer was recycling their LinkedIn password. On Tuesday, Carbonite reset all of their customer's passwords after detecting login attempts using recycled credentials.
Sign up for CIO Asia eNewsletters.