July started with a wave of scary-sounding headlines. “Two billion records exposed in a data breach!” and “Smart home vendor leaks billions of records!” Sounds intense, right? In fact, it’s a recurring story. Large data breaches happen regularly, and the media get flooded with numbers too colossal to imagine and terms too complicated to grasp. We’re here to help you sort through the sensational news and learn to properly understand data breach announcements.
Let’s analyze a significant data incident that took place in July, and find out where we should place it on the spectrum of the largest recent data breaches.
The Orvibo “2 billion records data breach”: What happened?
If you haven’t yet heard about this major breach, here it is:
A cybersecurity research team discovered an unprotected database online. The database included more than two billion records and belonged to Orvibo, a Chinese company selling smart home products, including smart locks, cameras, and more. Though the researchers contacted Orvibo as early as June 16th, the database remained open ‘til July 2nd. So, for over two weeks, the enormous collection of data could be found and abused by cybercriminals. However, it is unknown currently whether unlawful use has actually happened.
Perhaps most importantly, we need to accept that the number of records included in a breach doesn’t correspond to the number of affected users. A record is a line of data in a database. Within this data breach, it is hard to define how many users are involved. However, the researchers report that Ovribo has around a million users, including individuals and businesses. By this parameter, this recent incident is much smaller in scale than some of the biggest data breaches that affected hundreds of millions or even billions of users.
Yet, what is truly unnerving about the Orvibo data breach is the kind of information that was exposed. The open database included shockingly detailed records like:
- Email addresses
- Account reset codes
- IP addresses
- Family names
- User IDs
- Family IDs
- Active smart devices
- Account access by device
- Scheduling information
These are personally sensitive pieces of data. With reset codes, the attackers could have hijacked users’ accounts to control their smart devices. Knowing the contact details of users and their geolocation, cybercriminals could have robbed or blackmailed the data breach victims. Even though there’s no evidence that this data has landed in the wrong hands, it’s hard to sleep tight when someone may have the keys to control your smart home.
How to evaluate the real severity of a data breach
Data incidents happen with enormous frequency: 72 records are lost or stolen every second. The scale of 2018 data breaches proves that hardly anyone is safeguarded from them. We can see breach announcements daily but how should we understand them correctly? What should we focus on to comprehend how dangerous any given incident actually is?
The number of affected accounts
When reading about a data breach, be sure to note what the numbers refer to:
- “Records” indicate lines of data in a database
- “Accounts” (or username and password pairs) indicate affected users, though some might have multiple accounts
Naturally, the more accounts that are compromised, the higher the risk for any given user. For example, the largest data breach so far—the one disclosed by Yahoo in 2017—affected over 3 billion users, which was comparable to 40% of the global population at the time.
The sensitivity of the exposed data
Exposed records may include both sensitive information, such as usernames and passwords, or publicly available data, such as lists of countries, cities, shop addresses, and more. When judging the seriousness of a certain data breach, you should note whether sensitive records were disclosed, including the following information:
- Login data pairs, including passwords and email addresses or usernames
- Phone numbers
- Addresses or location coordinates
- Credit or debit cards details
- Social Security numbers
- Private messages
Even a huge data breach is not that terrible if the attackers can’t do much harm with the stolen data. For instance, if a list of emails is exposed, it can be used for spamming. It’s unpleasant but not as bad as when a whole set of your personal data falls into the hands of a thief. In comparison, if someone steals your identity using your name, birth date, and Social Security number, they can inflict significant financial damage to you.
The way the data was stored
At times, you may read that compromised passwords were stored “in plain text” or that they were “hashed.” What does this mean? Keeping passwords in plain text is a really super-awful security practice. Basically, plain text passwords are “ready to use” if stolen. A better idea is to hash them. “To hash” information means to transform it into a line of symbols using a certain algorithm. If a reliable algorithm is used, it’s practically impossible for a hacker to reverse the transformation and reveal the initial password.
In articles on data breaches, you can find various abbreviations for hashing algorithms. Here are the most widespread of them:
- MD4 and MD5 are considered weak algorithms. Unfortunately, Orvibo used MD5 to hash the passwords.
- SHA1 and SHA2 (including SHA-224, SHA-256, SHA-384, and SHA-512 versions) are generally stronger algorithms.
Yet, with all the popular algorithms it’s possible to reverse engineer the original passwords using so-called rainbow tables. These tables contain the most widely used passwords and the respective symbol strings. To make such deciphering impossible, database owners can “salt” the hashes: add random data to each password before hashing them.
In the Orvibo case, the hashes were not salted, which makes their password concealing rather ineffective. Unfortunately, you can’t always easily learn how certain companies store your data. Thus, you have to take your security into your own hands. As you can see, if you use unique, long, and complex passwords, you greatly minimize your risks of account theft.
Another relevant tool that MacKeeper team offers you is ID Theft Guard. If you set up your account and add your email address, ID Theft Guard will regularly check all your associated accounts for appearance in data breaches. If any private account data linked to your email address is made public, you’ll get immediate alerts. This way, you’ll be able to react quickly to protect all your other accounts from hacking and fraud.