Passphrase re-use thrown into the spotlight – again
Cloud-based backup outfit IDrive has reset an unspecified number of customer logins to thwart miscreants who are exploiting people’s password laziness.
Too many netizens each reuse the same passwords across many websites; if you hack one site, you can potentially get all the details you need to log into many other accounts on other services.
It’s a long-running security problem, highlighted again last week when it emerged that passwords and logins stolen from gaming website XSplit were used to break into UK telco O2 accounts.
When the login details matched, attackers could access O2 customer data through a process known as “credential stuffing.”
IDrive feared something similar might be thrown against its users, hence its decision to apply a precautionary password reset, seemingly targeted at customers judged most at risk.
This reset has not been applied across the board, as a statement by IDrive supplied to The Register explains (extract below):
IDrive, like many other services in the recent past, has been a target for password re-use attack.
So as a security measure, for a select few users who may have been impacted, we have turned on two-step authentication, where the user needs to verify their email address in addition to the standard username and password.
Their passwords are not reset, nor are their backups impacted.
The El Reg query was prompted by an email from Australian reader Michael, who said his work had been impacted by what he described as an “idrive.com mass password reset.”
“One of the online backup systems I deal with from time to time has in the last 24 hours turned on 2FA and asked us to reset passwords on login,” he said. “They claim to be NSA proof, but obviously not black hat proof.” ®
Sponsored: 2016 Cyberthreat defense report