In the past month, hackers have taken over the Twitter accounts of Facebook Inc. Chief Executive Mark Zuckerberg, Google CEO Sundar Pichai—and Twitter Inc.’s own CEO, Jack Dorsey.
Behind the scenes, security teams at every major technology company—and many smaller firms, too—are scrambling to protect others from the same fate.
Some of the executives apparently reused passwords that had been stolen in earlier hacks of LinkedIn, Myspace and other sites; others may have fallen victim to software that uses the old passwords to guess news ones.
Nearly two billion old passwords can be viewed for as little as $2 apiece at a database called LeakedSource, run by anonymous operators. Investigators say 1% to 8% of the LinkedIn usernames and passwords will work on other services, giving hackers a way to take over accounts elsewhere. LinkedIn, meanwhile, reset its own users’ passwords and fixed a security hole that had allowed data to be stolen in 2012. The company is in the process of being acquired by Microsoft, a $26.2 billion deal that’s expected to close by year’s end.
Hacking creates a dilemma for operators of other popular consumer web services. They can require all users to change their passwords, and risk losing some users. If they don’t force password changes, users’ accounts could be hacked.
“If they change passwords for their users, no matter how well they explain it, the perception may be completely off,” said Alex Holden, the founder and chief information security officer of Hold Security LLC, which helps companies spot stolen credentials on hacking sites. “If even 0.1% of these users panic and they have to call customers service in one day, it creates a nightmare.”
Carbonite Inc., which offers online backup services, chose to reset passwords for each of its 1.5 million users. The company also analyzed the hacked data and required customers whose credentials appeared in the database to confirm their identities in order to access their accounts.
Carbonite moved decisively because of the serious consequences of a compromise, said Norman Guadagno, Carbonite’s senior vice president of marketing. “When you have a Carbonite account—or any backup service—and you have the username or password to that account, you have access to everything,” he said.
Twitter, Facebook, Yahoo Inc. and others chose a different course. Instead of resetting all passwords, they analyzed the stolen credentials and then urged or forced affected users to reset their passwords.
Combing through the data is time-consuming. Yahoo has one billion users. Its security team began examining the LinkedIn database on May 18. Some of the account names and passwords were encrypted. Yahoo staffers had to decode the names and passwords and look for matches with Yahoo’s users.
Eight days later, on May 26, Yahoo emailed notes out to an undisclosed number of affected users, telling them to reset their passwords.
“There is a huge amount of frantic activity happening in consumer businesses to keep our users safe,” Alex Stamos, Facebook’s chief security officer, told a White House cybersecurity commission at a hearing in Berkeley, Calif., in June. .
One pitfall of this approach: Users may ignore messages to reset their passwords. Amazon.com Inc. Chief Technology Officer Werner Vogels lost control of his Bitly Inc. link-shortening account after ignoring a password-reset message, he confirmed in a Twitter message.
The Twitter account of Brendan Iribe, chief executive of Facebook’s Oculus virtual-reality unit, was ripe for the taking because he’d reused an old Myspace password, said “Lid,” the hacker who claimed to have taken over Mr. Iribe’s account for a few hours last month. Lid sent out several unauthorized Twitter messages, including one proclaiming himself the new Oculus CEO. Lid declined to provide his real name.
Large databases of usernames and passwords periodically become available on black-market websites. In the past few months, however, “the abuse of the data seems to be on the rise,” said Bob Lord, Yahoo’s chief information security officer.
The high-profile Twitter users typically regained control of their accounts within hours, causing them little damage beyond embarrassment. But security professionals say reusing passwords can expose corporate networks or the growing number of corporate online services.
Corporations tell employees not to reuse their corporate passwords on services such as LinkedIn or Myspace, but it is impossible for them to check whether this is happening. That is worrying, said Cormac Herley, a researcher with Microsoft Corp. “It could be that some third party has a breach and I’m essentially hostage to whether my employees reused passwords,” he said.