Google Study Reveals Many People Are Still Using Breached Passwords

Recently, a Google study showed that about 316,000 passwords have already been breached and are still in use. These used password credentials also include financial and governmental accounts. The information used to create this study was from Google Chrome’s Password Checkup extension. Google recently stated on their blog, “The study illustrates how secure, democratized access to password breach alerting can help mitigate one dimension of account hijacking.”

The Password Checkup Extension activates when someone signs into a site, which uses one out of 4 billion username/passwords that Google finds unsafe due to a third-party breach. Google found out that out of 21 million passwords and usernames, 1.5% of these sign-ins were risky. They also stated that many people like to reuse passwords that tend to be vulnerable, which puts them at risk. People use vulnerable passwords when it comes to entertainment and news websites, and sometimes on shopping sites where there could be credit card information stored. About 26 percent of unsafe passwords were reset by users. In addition to that, 60 percent of those new passwords are secured, leaving out the possibility of guessing attacks, which would take a hacker over a hundred million guesses before figuring out the user’s new password. 

Not changing used passwords can lead to cybercriminals gaining unauthorized account access. There have been “credential-stuffing incidents”, which affected companies like Dunkin Donuts and State Farm. Hackers would use lists of breached usernames and passwords to log in to web application accounts through automated requests. When the right username and password combination are found, cybercriminals can gain access to the targeted account. 

Google recommends using their Password Checkup Extension as a precautionary measure to alert users of whether their password has been breached. It is good practice to use different passwords for all your accounts and store them in a secure password manager application. As always, avoid using simple-to-guess passwords and instead use phrases with numbers and symbols. 

Boost Mobile Customer Accounts Breached by Hackers

Sprint’s mobile network Boost Mobile recently admitted to hackers having breached their customers’ accounts through their main website. The data breach originally occurred back in March and was only recently announced.

A website notification was posted to which the company stated that their site “experienced unauthorized online account activity [and that] an unauthorized person accessed [user] account[s] through [their] Boost phone number and Boost.com PIN code.” The company’s fraud team noted how the incident was quickly taken care of through “a permanent solution [that was used] to prevent similar unauthorized account activity.”

According to TechCrunch’s communication with a Sprint spokesperson, Boost Mobile had encrypted any social security or credit card information, leaving such sensitive data uncompromised in the data breach.

Due to the breach affecting a large consumer base of over 500 people, the company had to notify the California attorney general through written notice.

Through access to Boost Mobile’s user account names and PINs, hackers can utilize a type of cyberattack known as credential stuffing to automate and send login requests on the Boost Mobile site to access consumer accounts. The company has already sent a text with a new temporary PIN to those affected by the breach. Users can log into their accounts with the link provided in the text message in order to set a new PIN code. Boost Mobile recommends users reset their PINs if they have not done so already.

In the meantime, the company has also recommended that customers regularly check their Boost Mobile accounts for any fraudulent activity and to report any identity theft or fraud to consumer credit reporting companies.