Picture this: You get an email from your bank. They tell you that there’s been an increase in compromised accounts. Out of an abundance of caution, they tell you to go to their site and make the change.
Did you click the link? After all, the email was from your bank. It had the right letterhead and images, and they were reaching out to you about hackers. Plus, they had way too much information to be some fly-by-night criminal with a phishing scam. If you followed the advice of this reasonable seeming email, you might have just given away the keys to the kingdom.
Wait…how? You might have heard that password manager, LastPass recently had a major breach. You might not know, but this week we learned that nearly all active Twitter accounts had their associated email addresses and follower counts leaked. This will allow attackers to identify private Twitter accounts. Some versions of the leak also include phone numbers.
Alone, either one of these breaches is bad: Together, there’s tremendous potential for trouble. The Twitter leak contained 200M+ account details. Luckily, no passwords have been leaked. That’s where the good news stops. The details from the Twitter leak combined with those stolen in the LastPass breach give hackers a lot of information that they can use to craft communications that seem legitimate.
Back to that email from your bank: Hackers can cross-check information between the two leaks and learn things like, who you bank with. Now, they don’t have to send a generic message. They can copy the style and language that your bank uses in their emails. The more information they have about you, the easier it is to fool you.
The perfect storm: We expect to see a huge increase in phishing attempts, social engineering, and even MFA attacks such as SIM swapping.
What to do: More than ever, it is important to keep a close eye on your organization’s accounts as well as your clients. It is likely that we will see more hacking groups launching targeted, sophisticated attacks using your personal information.
Twitter recommends that all users configure MFA, but we want to make sure you are aware of the risk your users could experience.
Protect yourself and your organization: Be on the lookout for sketchy emails, communications, or anything amiss with your accounts. As with the LastPass breach, we would like to remind you to do the following:
- Regularly rotate your passwords
- Check for password re-use across your sites & services
- Enable MFA on everything
- Warn your users of an increased risk of phishing
- Pay careful attention to your accounts for breaches and suspicious activity