World Password Day falls on the first Thursday in May. (Proving there really is a day for everything?) The point of this day is to improve and promote better password habits – and of course, on actual World Password Day, Twitter announces that the passwords all of its 330 million accounts may have been compromised.
In general, I’m not a fan of these cybersecurity “holidays” because they are mostly preaching to the choir, to the folks who are already security aware and recognize the threats of password insecurity. However, this year, the Twitter password leak reminds us that password management is going to play a huge role in GDPR, which is the real big security event in May this year.
The leak of the Twitter passwords shows how lazy both organization and users are about password management, and we know that password loss could lead to an even bigger data breach. If the password is your only form of authentication, sensitive material on your network is at risk, as Mike Banic, vice president of Marketing at Vectra, told me in an email comment:
Twitter is one of many web-based and mobile applications that do not require dual-factor authentication as the default. The breach of data from the Office of Personnel Management started with the cyber-attackers using stolen credentials to pose as a legitimate employee of an OPM contractor performing background investigations, Keypoint Government Solutions, and the stolen credentials did not require two-factor authentication.
And speaking of passwords and GDPR, the cybercriminals are taking advantage of this last-minute rush of information regarding changes to privacy. They are attempting to trick consumers into handing over passwords and credit card details by taking advantage of the flood of emails being sent out ahead of GDPR’s implementation. You probably noticed a slew of legitimate emails arriving in your inbox to alert you to these changes and in some cases, they are requiring you to take action to stay active with the site or application. Not surprisingly, the bad guys see this as an excellent way to do some phishing, as the average person has no idea why they are seeing these messages in the first place (my Facebook feed has seen a lot of questions about the emails). As Tim Helming, director of product management at DomainTools, told me in an email comment:
Cybercriminals are just as attentive as the rest of us to the news, and GDPR has been difficult to escape for the last year. As consumers receive more and more legitimate emails from brands engaging with best practices in advance of GDPR, it only follows as logical (and somewhat ironic) that scammers would take advantage of this. Phishers thrive on a lack of caution from their targets, so masking a scam as part of a legitimate flurry of emails comes as no surprise.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba