November closed with more than 32 million records breached, although a data breach at Twitter and one at Whoosh (a Russian scooter-sharing company) account for the majority of these breached records. An alleged breach at WhatsApp has also put the data of 500 million users up for sale, but this has not been counted in the November figures because it is unverified, and is denied by WhatsApp. Hot on the heels of Cyber Security Awareness Month (October), November saw the release of a number of annual reports and surveys, sharing some interesting insights on the security landscape, with a particular focus on passwords and password hygiene.
NordPass report reveals the top 200 passwords and they’re shocking!
If you ever needed a reminder why cybersecurity training is essential, it’s this report. Nearly 5 million people are still using “password” on a regular basis, leaving the account vulnerable to a breach in under 1 second! Other top passwords include “123456”, “guest”, “qwerty”, as well as favourite sports teams and fashion brands. The report was collated from more than 3TB of live breached data, highlighting a generalised lack of security. For businesses, this report is particularly pressing if you allow your team to set their own passwords. Read the report +
Psychology of Passwords from LastPass
A report from LastPass highlighted the same problem as NordPass, with poor password hygiene being behind many breaches. According to the report:
- 75% of respondents have high confidence in managing passwords yet
- 62% of people always or mostly reuse a password or a variation of their password
- Only 50% of users changed their password after being informed of a breach
- 31% immediately stopped reusing passwords after training
- Overall high confidence in respondents but low quality behaviours
Microsoft Digital Defence Report
Looking at the data collated from more than 70 billion blocked threats, 10,000 domain removals, and 8,500 security threat reports, the Microsoft Digital Defense Report shares some unique and interesting highlights. For those that want to deep dive into the issues happening in the cybersecurity landscape, the report covers nation state threats, devices and infrastructure, cyber resilience and much more. It also highlights growth in password attacks, with 921 password attacks happening every second – an increase of 74% in one year. This risk is exacerbated by poor password hygiene as 20% of users use identical passwords for everything they do online. Read the report +
Pursuit of Christmas bargains highlights poor approach to our own data
According to a new report from NordVPN online Christmas shopping reveals some unique insights into our individual cybersecurity habits. Approximately 10.6million people have been scammed while shopping online, yet they are still happy to share personal details in pursuit of a bargain, including details that help hackers breach accounts:
- 12% would hand over their credit card details
- 4.3% would give their National Insurance number
- 11% would reveal where they worked
- 3.9% would even reveal their children’s names.
Small and Medium Sized Business Vulnerabilities Report (SMBVR)
Although the study was conducted using data from Canadian and US SME companies, the SMBVR report from CyberCatch shared some interesting vulnerabilities faced by SMEs. While high risk to business, the report also found that these businesses are also not aware of these vulnerabilities, including spoofing, clickjacking, and session riding. Read the report +
National Cyber Security Centre (NCSC) Annual Report
This year’s annual report from the National Cyber Security Centre highlights the growing problem of cyber fraud, the prevalence of low sophistication cyber attacks such as phishing and malware, and the continued threat of ransomware. It also considers the growth in nation state threats too. The report also reveals that:
- 6.5million suspicious email reports received and 62k scam URLs removed
- 34 million early warning alerts issued about attacks etc.
- Number of fake UK government phishing scams decreased by 46% (from 13,000 to 6,000)
Twitter’s new verification policy is a cybersecurity nightmare
Historically, Twitter’s blue tick, which denotes a legitimate business or user, has been awarded only to verified accounts. Amid the takeover by Elon Musk, the policy shifted to a paid-for approach, not only prompting concerns that the tick becomes worthless at identifying a verified account, but also kickstarting a wave of phishing emails encouraging you to “get verified”. It’s an apt reminder to always validate the source of your emails and requests, and to avoid clicking on unexpected links.
AirAsia loses 5 million records to ransomware
The Malaysian low cost airline AirAsia fell victim to a ransomware attack, compromising more than 5 million customer records. It included passenger information and booking details, as well as the personal details of many of the airline’s employees. Interestingly, in a comment to the website DataBreaches.net, the hackers confirmed that they did not expect to conduct any further attacks, due to “the chaotic organization of the network”.
500 million WhatsApp users’ data reportedly breached
A hacker has listed a database for sale containing 487 million users’ mobile numbers, including 11 million from UK users. According to the hacker, the data is from a breach of WhatsApp which, if validated, would make this one of the largest single breaches of data by a hack. WhatsApp denies the theft and breach of the records, and as yet, it remains unconfirmed.
Twitter reported to have suffered another breach
According to a cyber security expert, data has been breached from Twitter for the second time this year. A breach originally happened and was disclosed in July, and Twitter claims that more recently leaked data from November, is part of the same breach. However experts say that the type of data differs between the two breaches, and raises concerns that Twitter has lied about a more recent breach.
Other stories you may find interesting: