Hackergroup Gnosticplayers had done it again, their recent successful campaigns against 8 websites, namely: Strong Kingdoms, petflow, YouNow, Houzz, Roll20, ixigo, and Ge.tt. These attacks created a huge supply of user credentials that are now available for sale in the Dark Web. At a recent estimate, around 126 million accounts are being offered to Dark Web users using the Dream Marketplace platform (a blackmarket site in the Dark Web).
The accounts being sold are in bulk, per site and at a cheap price in comparison to the possibilities that the buyer can get by using the credentials for their own motives.
YouNow, a non-popular Youtube-like website hosts 40 million+ accounts. These accounts are now being offered in the Dream MarketPlace for $468. Coinmama, a cryptocurrency exchange site was another victim of gnosticplayers, and lost 486,297 accounts, mostly with hashed passwords. With the knowledge of gnosticplayers in the aspect of cryptography, the group claims that 70,000 of those entries now have their passwords cracked. Gnosticplayers demands $1248 for all 486,297 accounts.
Houzz is a community website for exploring home improvements, landscaping, interior designing/decorating and architecture. Hackers were able to steal its 57 million user accounts, and they are selling it for $10400, all-in. Roll20, a tabletop virtual game that first came into being, thanks to Kickstarter lost 4 million user accounts. Gnosticplayers is selling the stolen accounts for just $208. Ixigo, a popular India-based e-booking site lost 18 million accounts. Aside from the accounts, it lost around 7.23GB of data due to the cyber attacks initiated by Gnosticplayers. All its 18 million accounts are being sold for $936.
Ge.tt, a Danish file sharing platform lost 1.83 million user credentials due to a data breach, which includes Facebook and Twitter login information. Though the data breached happened in 2017, gnosticplayers is selling all 1.83 million accounts for a cheap price of $572. Security errors can happen to even the most secure sites on the web. What is important is prevention, as the longterm issue of becoming a victim to a data breach is the lost of customer-confidence. Such loss can bring the business to a standstill, if not complete exit from the market.
There are various types of security problems caused by internal errors, such as human error, which hackers take advantage of. How can this be prevented by company policies?
- Tell people why the rules are needed
Even though people know the existence of the rules and have an environment in which people can protect them, people will not have to keep them separately. “This rule is meaningless.“ There are cases where the rules cannot be observed due to the misunderstanding and low awareness of the site personnel, such as “a degree of violation of the rules is all right”. In such a case, people require security training after joining the company, or provide training to employees who have joined the company after a certain period, and why not that rule is necessary or not. The company needs certain rules to educate them again about possible problems and motivate them to keep the rules.
- Make the rules known
In the case of human errors that occur because people in the field do not know the rules, it is necessary to educate them to disseminate the rules. If people do not know the existence of the rules, they cannot be protected. First of all, it is necessary to clarify in what circumstances, what should or should not be done, and to make it known to all the concerned parties so that the rules can be passed on. In addition, it is also important to check regularly whether the employee is following it so that the rules do not become irrelevant.
- Create an environment that enable people to easily follow the rules
However, no matter how well known, it is impossible to completely prevent mistakes. If people know the rules and they are willing to keep them, but they can not perform the tasks according to the rules, there may be a problem with the environment. For example, in an environment where the amount of work is excessive and it is necessary to take work home at home, or work must be carried out in a short time, “Don’t take out data including personal information outside”, “sending mail” even if there is a rule to “confirm before”, isn’t it difficult to keep it? In such a case, it will be necessary to reconsider whether it is an environment where the business can proceed according to the rules.
However, even if rules are thoroughly shared, it is not possible to prevent mistakes 100% because humans handle information. Therefore, what is needed is the introduction of tools to prevent information leaks, such as the introduction of erroneous transmission prevention software and management of access to databases. By organizing the tools, it is possible to prevent information leakage even if a human error occurs. Measures to prevent information leakage do not mean “If you take one measure, that’s fine“. It is essential to multilaterally implement what can be done to prevent mistakes and problems that may occur in various situations.