Criminal hackers took responsibility for a recent FastCompany breach, saying they exploited an easily guessed default password, “pizza123.” The business magazine reused the weak password across a dozen WordPress accounts, according to the hackers, who described the attack in their own article on FastCompany.com before the publication took the site down.
The breach, the bitter taste of pizza123, and the plight of malicious push notifications demand caution when selecting and managing passwords.
The FastCompany breach overview
The hackers claimed to have used the vulnerable password pizza123 to access authentication tokens, Apple News API keys, and Amazon Simple Email Service (SES) tokens. Then they sent offensive push notifications to the home screens of subscribers of the FastCompany channel on the Apple News service.
Apple disabled the FastCompany news channel account in response to the push notifications. FastCompany apologized to the public and took its site down.
FastCompany tweeted that the publication hired a leading global cybersecurity firm to respond to the breach. They are investigating the breach, and the FastCompany site is back online.
Public relations ramifications of push notification attacks
After decades of investment in sculpting the organization’s brand image, a business can watch its reputation flounder in the face of an obscene push notification. The sentiment of millions of faithful customers can turn sour in an instant. By the time organizations block the messages and make public apologies, the harm is done.
Customers can swap to a competitor, or even sue for the offense when they have entrusted a publisher to provide safe content. Regulatory bodies can fine organizations. The company can spend time and money defending itself in court and restoring its image.
But malicious push notifications can do a lot worse than offend customers—criminal hackers can load messages with malware and infect consumer devices, leading to privacy violations and consumer financial fraud.
The problem with “pizza123”-type passwords
People often build passwords using the first word that comes to mind and a brief series of numbers. Pizza123 is a perfect example of an easy-to-guess password.
Employees will create passwords already appearing on breached password lists. Criminal hackers use brute force attacks to confirm working passwords from the same lists.
Nearly two-thirds of employees reuse their passwords. The more they reuse them across business and personal accounts, the more likely criminal hackers will breach them and test them on the organization. Hackers know to try the same passwords on different companies they hack because of password reuse.
Creating a custom password policy helps block weak passwords
Robust password management enables fine-grained password policies and policy customization. With a custom password policy, organizations can increase complexity requirements, like length and previous-password change minimums. A custom password policy with increased complexity requirements will block 95% of weak and breached passwords.
Password length is a particularly critical component of strong passwords. Ninety-three percent of the passwords used in brute force attacks include eight or more characters. A custom password policy can require a minimum password length, decreasing password entropy.
The importance of password hygiene
Passphrases, typically strings of words totaling 20 characters or more, make very high bit-strength passwords that are very easy for users to remember. Organizations can use a custom password policy to prefer passphrases for employees within groups or across the organization.
Password management enables organizations to customize fine-grain password policies. Yet 54% of organizations don’t have a tool to manage work passwords. It’s essential to enforce strong passwords in the face of a dynamic attack surface and burgeoning password breaches.
Password hygiene audits ensure the organization deletes weak and compromised passwords, adding known good passwords that meet stringent policies.
Specops Breached Password Protection
Specops Breached Password Protection compares the organization’s Active Directory passwords with over two billion breached passwords, including those in active use in password-spraying attacks. Breached Password Protection continuously updates the list of compromised passwords for immediate protection.
With every Active Directory password change, Breached Password Protection blocks passwords on the breach list, so users can’t adopt compromised passwords. Breached Password Protection notifies the user when it rejects a password so they can use a different one.
Sponsored and written by Specops