Equifax Execs' 'Alarmingly Simple' Passwords for Sale on Dark Web

When Bill Burr wrote his password recommendations for the National Institute of Standards and Technology (NIST) more than a dozen years ago, it included advice such as utilizing special characters, random capitalization and frequent changes. Carlos Solari was working in the White House managing information technology and security at the time. Immediately, Solari wasted no time in pushing the government adopted the recommended password requirements.

Burr came out this past August to walk back some of those recommendations in favor of longer, more user-friendly passwords. Solari, now VP of cybersecurity services at Comodo, was already two steps ahead and wise to NIST’s updated recommendations, released in June.

Too bad the executives at Equifax weren’t.

In a blog post released today, Comodo says that more than 388 records of Equifax user and employee endpoint data is available for sale on the Dark Web, including usernames, titles, passwords and login URLs, plus the dates on which they were obtained.

Here’s the kicker. Comodo found that many of the compromised employee accounts, including some belonging to members of the highest levels of management, were “alarmingly simple.” The investigation found that Equifax’s chief privacy officer, CIO, vice president of PR and vice president of sales used all lowercase letters, no special symbols and easily guessable words like spouses’ names, city names and even combinations of initials and birth year.

In other words, these executives’ standards for password security fell short of that of my 10-year-old niece. While Comodo says Equifax has most likely changed all passwords since the exposure of the cyberattack, there’s “a very high probability” that the passwords for sale on the Dark Web were used with internal Equifax applications considering most people use the same password for multiple applications.

Clearly, Equifax failed to mandate and enforce even the most basic of security best practices, despite the slew of cyberattacks on enterprise systems in recent years that have resulted in compromised data for tens of millions of consumers. Which has just about everyone scratching their heads. Why is it taking so long for corporations to catch up to even the most basic level of security best practices?

“I thought maybe last year was the year that corporations would begin to take security measures more seriously,” Solari told The VAR Guy. Here’s to hoping that the events of 2017 will be what do the trick. “With the rise of ransomware in these huge breaches like Petya and WannaCry, combined with the Equifax breach, hopefully corporations will begin taking security more seriously.”

The new General Data Protection Regulation (GDPR) in Europe will also help, says Solari since the data protection measure will apply to the export of personal data outside the EU to countries like the U.S. “It’ll be like gravity,” he explains. Once Europe adopts it, everyone who does business in the region will be pulled in a more secure direction.

Solari says the credentials were stolen via zero-day exploits using pony malware, a Russian (shocker) password stealer kit that can execute through phishing attacks or web application vulnerabilities. The pony sneaks in, exfiltrates data on the credentials of more than 90 applications, grabs the passwords then deletes all traces of itself.

The investigation was done using Comodo’s free ‘Global Threat Analysis Report,’ which scours the Dark Web to see if enterprises’ sensitive data is being traded and gives recommendations on how to restore security.

As for partners who want to ensure their customers’ data isn’t being peddled on the Dark Web, VP of marketing David Liff says Comodo offers a host of free tools on its website, including remote monitoring and management, patch management, forensic analysis tools and service desk. They can even work with partner success specialists to help themselves or their customers walk through the Dark Web. Of course, Comodo hopes once MSPs see the value of these tools, they’ll choose to purchase the company’s security solutions, but regardless, the free resources are a good way for partners to get an idea of whether or not their customers’ data has been compromised.