In the middle of July, private sector researchers revealed that they had detected a series of stealthy “slow and low” brute force credential-guessing efforts against a variety of organizational Microsoft Office 365 accounts. Probably using passwords harvested during other breaches, and assuming that their prospective victims had not changed them in the interim, the hackers sought to guess the associated usernames of senior employees at the affected organizations. During a period of approximately six months, the attackers conducted over 100,000 login attempts originating from 67 Internet Protocol addresses.
Although the researchers assessed that no accounts were compromised as a result of the aforementioned attacks, more recent reporting indicates that at least one notable Microsoft user did in fact suffer a breach around the same time. A little more than a week after the researchers announced their findings, hackers posted on the internet the files of an employee of the cybersecurity firm FireEye. In addition to his LinkedIn profile, the attackers appear to have gained access to the analyst’s personal Microsoft OneDrive account as well. Since he kept FireEye documents in this cloud storage service, the intruders were able to gain access to and publicly release these sensitive corporate materials.
If the breach of the FireEye employee’s accounts were related to the large scale Microsoft Office 365 credential-guessing efforts is not clear, due to the fact that the researchers of these brute force attempts anonymized the identities of the targets in their report. Whether or not the two incidents were connected, however, they both hammer home a key point: passwords themselves can be a cybersecurity Achilles’ heel.
The credential-guessers who sought to hijack Office 365 accounts almost certainly knew that more than 80% of people in one study admitted using the same password for more than one service. The hackers could thus rely on already-stolen login information to attempt to breach additional accounts. Furthermore, the fact that the FireEye employee suffered hacks of both his social media profile and OneDrive account simultaneously – along with the posting of his login credentials online by the intruders – strongly suggests that he used the same passwords for multiple platforms.
Since Microsoft is just beginning roll out two-factor authentication for Office 365 email clients, and rates of use for this security technique are probably at the single digit percentage levels, experts expect to see more breaches of Office 365 accounts in the future. This problem is also not unique to Microsoft, due to the similar login and authentication mechanisms that most major providers use.
The answer to this problem is to accept that passwords are an inherently flawed way to protect important data stored in the cloud. Fortunately, there is an alternative. PreVeil’s next generation email, file-sharing, and storage system – designed for security and ease of use – is now coming to market. It relies on extremely strong cryptographic keys stored locally on user devices, not easily guessed passwords, to facilitate user access to encrypted information in the cloud. Tools like this likely could have prevented the breach suffered by the FireEye employee, and would make enterprise networks essentially impervious to brute force login attacks.