Last year was certainly a year that will be remembered in the history books. Between COVID-19, protests, and well … just everything else, it would have been easy to miss all the password theft. Here we’ll present the notable methods – some old, and some new – that hackers used to steal passwords last year.

January | Manor Independent School District

What Happened: Phishing Scam

Result: $2.3 Million Stolen

In January of last year, the Manor Independent School District in Manor, TX, were the victims of a Business Email Compromise campaign. Phishing emails were sent to members of the school district in November, leading to three separate transactions taking place. An employee uncovered the scheme a month later, leading to the Manor police force and the FBI’s involvement. However, the nature of the emails and who fell for them is not yet known. Read the story here.

March | Pan-European SIM-Swapping Ring

What Happened: SIM-Swap Scam Bypassing MFA

Result: Over €3 Million Stolen Before Europol Crackdown

Europol, with help from local law enforcement, has made a series of arrests across Europe in a crackdown on SIM-swapping attacks in March. The first hacking ring is believed to be responsible for the theft of over €3 million in a series of SIM-swapping attacks. SIM-swapping attacks are becoming increasingly common as our mobile devices are now central hubs for accessing everything from social media to bank accounts. They are often also used to thwart some common methods of multi-factor authentication.

In order to conduct a SIM-swap, an attacker will attempt to fool a mobile operator into transferring a victim’s phone number to a SIM in their possession. It might not take long for a victim to realize something is wrong with their phone as their service is cut off and their signal dies. However, this small window can be enough for threat actors to intercept calls and messages – including one-time codes sent as part of multi-factor authentication – leading to account compromise. Read the story here.

April | Italian Email Provider Hacked PII and Passwords

What Happened: Data Breach Stole Customer Data; Sold Contents on the Dark Web

Result: The data of more than 600,000 Email.it users was being sold on the dark web back in April.

The company declined to pay, and instead notified the Italian Postal Police. Following the failed extortion attempt, the hackers tried to sell the company’s data for an asking price that varied between 0.5 and 3 bitcoin ($3,500 and $22,000). The hackers claimed that the databases contained plaintext passwords, security questions, email content, and email attachments for more than 600,000 users who signed up and used the service between 2007 to 2020. Read the story here.

May | V Shred Data Breach Exposes Personal Data

What Happened: Data Breach

Result: PII of Over 99,000 Individuals Published

Last summer, the vpnMentor research team made news of the data leak public, in which an unsecured AWS S3 bucket exposed the PII of at least 99,000 individuals. The original breach was discovered on 14 May. Combined, the files contained names, home addresses, email addresses, dates of birth, some Social Security numbers, social media accounts details, usernames and passwords, age ranges, genders, and citizenship status, among other data points. “V Shred is a young company and appears to be run by a small team,” vpnMentor noted. “However, it’s still responsible for protecting the people using its products and signing up for its services. By not doing so, V Shred has jeopardized the privacy and security of the people exposed, and the future of the company itself.” Read the story here.

October | University of British Columbia

What Happened: Phishing/Ransomware via Fake COVID Survey

Result: Attack Detected and Thwarted

In October, a new phishing document targeted staff at the University of British Columbia (UBC) with a fake COVID-19 survey. The survey was a malicious Word document whose purpose was to download ransomware and extort victims to recover their encrypted files. Ultimately, this attack was not successful due to the rapid response of the UBC cybersecurity team. Read the story here.

December | SolarWinds Attack – Passwords Share Blame

What Happened: Brute Force Attack (Password Spraying)

Result: Investigation Still Unfolding

What happened at SolarWinds was a complicated story, and we won’t try to simplify things here. What we know now is that according to the Cybersecurity and Infrastructure Security Agency (CISA) – one of the ways that Russian attackers managed to get initial access was through Password Spraying (attempting specific passwords against a volume of usernames). “CISA incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services,” reads the activity alert. CISA has advised organizations to refer to the National Security Agency advisory on detecting abuse of authentication systems. Read the story here. 

Conclusion

Just because it is a new year does not mean the problems from 2020 will just go away on their own (as we have already seen). But there are things you can do to inoculate yourself from them. Just as there is a vaccine for COVID-19 – there is a cure for passwords, and it’s Beyond Identity. By implementing a passwordless solution, you can remove the threat vector.