From Club Nintendo to a Personal Blog, No Web Site is Immune From Cyber Crime
All too commonly, a discussion around risk will land on the topic of how a target is selected for cyber crime. Huge financial gain? Billions of users? High profile? While all of these make great motives for attack, sometimes the goal is much simpler: Breach as many places as you can to collect personal information and credentials.
The recent attack against the video game-related "Club Nintendo" web site involved over 15 million brute-force attempts against their user's accounts, resulting in nearly 24,000 compromised accounts. While this level of account compromise represents less than one percent of their entire reported user base, that statistic won’t comfort the people whose accounts were compromised, suffering a huge blow to their privacy and online safety.
Even non-financial information helps identity thieves
Once an account is compromised the information it holds presents a serious threat of identity theft and cyber crime, even if the account didn’t hold financial information. Information like a full name, home address, email address, and password can be a foothold that an attacker can use to break into other accounts and escalate their level of knowledge about a victim. When people use the same passwords for multiple accounts (an all too common practice) the risk of additional compromise is even higher.
Reusing passwords leaves you vulnerable
Most users don't think twice about typing in the same password for many sites. With so many online accounts, it's easy to forget the passwords you've used, where you’ve repeated them, and how often you change them. While an increasing number of end-users are utilizing technologies such as LastPass and 1Password to generate complex and unique passwords, the majority of end-users are still memorizing a small set of passwords that they use broadly across Internet sites, corporate accounts, and personal computers.
While many online breaches allow for an attacker to try and crack the password hashes of a site after the fact, in this case, the attackers already know what the passwords are since they successfully logged into the site with the guessed credentials. Once the password has been determined, attackers can then steal information from the site and start trying to log in to other sites that the victim may be utilizing.
In the case of Club Nintendo, it's concerning that they didn’t have mechanisms in place to alert their staff about the attack. After all, they were being brute forced for close to three weeks straight. Judging by the success of the attack, it's also likely that they didn’t require their users to create particularly strong passwords. It’s also likely that they didn’t have an account lock-out feature in place, since it would have tripped for multiple accounts during the brute-force, giving them an earlier warning of the attack.
The more sites that you use on the Internet, the more times you reuse a password, and the weaker the strength of your password, the more likely you are to end-up receiving a notice that your account was compromised. Until organizations put more focus into strong security controls like two-factor authentication, we're all a target for attackers and cyber crime.