Blog / DUNKIN’ DONUTS Gets Baked!! – Employees decide to use the exact same Username / Password combo over & over again!
Today I need to talk about something. Something near and dear to all our hearts. A most horrible event has occurred. It’s so terrible, it pains me to even speak of it. But I MUST!
Someone, some horrible, terrible Criminal has breached an institution, the Primary Mission of which in this world is to create hand-sized pastry delights of deliciousness.
At this point, I expect everyone reading this to take a page from Darth Vader, rise to your feet, raise your arms and scream “NOOOOooooooooo!”, until you run out of breath (If you’re unsure what I’m talking about, just visit this website.)
I’ll be honest here; that was fun to write. Sometimes I need to take a step back from the doom and gloom that tends to dominate the world of Electronic and Computer Security. However, the truth of the matter is this Breach does have me upset, but not for any of the amusing reasons I’ve alluded to so far.
The problem with this Breach has nothing to do with doughnuts (despite how wonderful they are.) It has to do with HOW the Hackers managed to “breach” the system:
They didn’t use any kind of Vulnerability to exploit a website.
They didn’t install any kind of Malware to steal User Credentials.
They didn’t make use of a Botnet to crack Login Information.
They didn’t even steal the Users’ Database.
It was none of those things.
The Hackers simply reused existing User Credentials they got from somewhere else.
The ONLY reason they were able to login, was because a number of Employees decided to use the exact Username/Password combination over and over again. This is the source of my pain. That’s why this Breach bothers me. Chances are, those same people that were hacked, made this same mistake with other websites.
Have you ever noticed that a lot of online banking portals have rather peculiar rules when it comes to Passwords?
That is not accidental or any kind of oversight. The reason is because they are trying to force Users not to make use of the same password over and over again. The rules that many banks put in place for their passwords are such that they will often clash with Password Rules for other Web Services, in such a way that you won’t be able to make use of the same password.
The advice not to use the same password in one place that you do for another, is nothing new. If you read the Password Rules for most websites, they will often make mention that using the same password that you have for another website, is not recommended.
There’s actually an Incident Case Summary about Breaches caused by password re-use that the Office of the Privacy Commission published back in 2017, and it gives highlights for three incidents of this nature. Breaches like this are nothing new, unfortunately.
As an organization, you need to actively discourage this kind of behaviour. One way to do it is with a Password Policy. Most of the time (at least for Policies that I’ve reviewed) they include mention of the fact that Employees should not make use of the same password for their Corporate Accounts as their personal ones. This is good advice, but doesn’t go far enough. Often, individuals within an organization have multiple different logins to various systems.
As an Example, many of the Customers TRINUS has are Municipal ones and make use of a software called Diamond. The User Login for Diamond is different than the one you create for Windows. However, often I’ve found that organizations make use of the same Usernames and allow Employees to set their own passwords freely. What winds up happening is that Users simply use the same password as their Windows Login. It’s easier than a new one and the inside of the Company Network is a secure environment, right?
The danger of allowing this can be shown by this DUNKIN’ DONUTS Breach. Acquiring one set of valid Username/Password credentials can give an Attacker the Keys to the Kingdom. In your Password Policy you need to include the rule that Employees are NOT allowed to use the same password for different Users they may have inside AND outside the organization. The reason is simple: It mitigates some of the risk associated with compromised User Credentials.
It won’t prevent a password from being compromised, but it will limit the amount of Access doing so provides an Attacker. This will increase the amount of time it takes them to move around your network and thereby, increase the chances of them getting caught.
If you have any questions about creating an Effective Password Policy, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.