This week, news broke that hackers infiltrated Verkada, a Silicon Valley security company specializing in camera systems. The “hacktivists” had access to live camera feeds of nearly 150,000 security cameras from some 24,000 customers, along with internal financial documents, customer lists, and the complete database of camera recordings.
Affected customers included “schools, offices, gyms, banks, health clinics and county jails [...] churches, volunteer fire departments, hotels, sports bars, rehabilitation centers and children’s foster-care homes, as well as major tech companies such as Cloudflare” and Tesla, according to the Washington Post.
And it was all because of one password.
In interviews, the hackers admitted that they stumbled across an admin username and password on the web. It was an “easy” hack: they tried the credentials, they were valid, and the hackers unlocked access to a sensitive data trove.
In the cybersecurity community, the breach has raised questions about data security, privacy and surveillance. But another critical takeaway is that sometimes, mundane things like a leaked password can be a company’s Achilles heel.
How corporate passwords get leaked
It’s a lot easier than you think for hackers to use stolen passwords to gain corporate networks and accounts access. Large-scale breaches — like the LinkedIn breach in 2012 of 170 million credentials — can have long-lasting and devastating security effects. Hackers simply obtain the list of leaked credentials, often on the dark web. They then use automated tools to start testing those credentials or carry out targeted attacks.
For example, if they know the LinkedIn password of the CEO of a specific company, they’ll start trying the same password to break into the CEO’s corporate email account. From there, the hackers can escalate privileges and expand their access within the company’s network.
Security breaches may go undetected for months, or even years. Many people don’t change passwords even when data breaches are publicized. That’s why any password reuse by any employee can put a company in jeopardy. A leaked account by a random website - maybe even one for personal use, outside the office - can still give hackers a way in when the employee uses the same password everywhere.
Steps companies should take today
Strong passwords are critical to an excellent cybersecurity strategy. It sounds simplistic, but good passwords provide an essential first layer of defense against attacks. Every password used by every employee for every company login should be a unique, generated string of random characters. A password manager gives IT the tools to enforce strong password policies while simplifying day-to-day password-related tasks for employees, so better passwords are the norm.
Companies should also explore strategies for going beyond passwords. Single sign-on can eliminate password use and take a policy-based approach that restricts access to the right people at the right time from approved devices. Multifactor authentication adds another critical layer of security. Suspicious logins require that a user prove who they are before granting access to company accounts or data by leveraging contextual data and biometrics. Combining access and authentication technology gives IT visibility into every login while simplifying the employee login experience.
A data breach can be devastating. At this time, it’s unclear what the financial and reputation damage to Verkada will be. But their story should be a reminder to other businesses of the need to be proactive rather than reactive when it comes to secure authentication. Companies must prioritize password security and robust authentication protocols. A layered, policy-driven approach to cybersecurity can slow down any would-be attackers and significantly reduce the risk of a breach. Learn more about how LastPass can help.