Two Breaches That Remind Us of the Importance of Password Protection
By now, most of us realize the importance of having a password, right?
Not so fast.
As it turns out, two recent data breaches could have been prevented if two notable organizations would have used a password—preferably a strong one—but in these instances, any password would have helped.
The Weight Watchers Breach
Earlier this week, dozens of servers containing Weight Watcher’s data were left exposed after the company failed to password protect its software. The company who spotted the vulnerability, Kromtech, is also renowned for unearthing more than 560 million passwords in an unrelated data breach last year.
While Weight Watchers has gone on record stating that none of the information exposed was sensitive or personally identifiable, Kromtech is skeptical.
According to Gizmodo, a spokesperson from Kromtech says, “We absolutely think it was a production account,” which would’ve provided access to the company’s internal IT infrastructure, like AWS access keys, pod specifications, and several dozen S3 buckets holding the company’s data. The Amazon S3 buckets used by the company may have included logs, passwords, and private encryption keys.
How the breach happened
It is believed that Weight Watchers forgot to set a password for the administration console of one of its Kubernetes instances, which granted anyone knowing where to look (port 10250) access to servers without the need to enter a username and password.
Though the event is troublesome, Weight Watchers is certainly not the first company to be caught in a vulnerable state.
And, another recent breach should be highlighted.
The T-Mobile Data Breach
Last month, T-Mobile experienced a similar issue that left their customer data easily accessible.
According to ZDNet, the wireless provider was storing its customers’ personal data on a website that lacked password protection. It is also believed that customer data was left vulnerable for months before being discovered.
According to ZDNet, the bug T-Mobile fell victim to let anyone access the personal account details of any customer with just their cell phone number.
The flaw has since been fixed but while vulnerable, customer’s full names, postal addresses, billing account numbers were exposed. In some cases, information about tax identification numbers, and references to account PINs were visible as well.
T-Mobile experienced a nearly identical issue last year, which has raised red flags about the companies technical infrastructure.
How can you protect yourself?
If you’re a customer of either of these companies, be proactive. It is worth changing your passwords and checking in on all of your personal information with urgency.
- Are there any discrepancies on your credit report?
- Any banking information that seems off?
- Any strange logins on your internet accounts?
It’s better to be safe than sorry.
Not having a password is problematic. But, having an insecure password can be problematic, too.
Let us help you create strong, secure passwords so that your company and personal information is safe.