Another Day, Another Hack?
That’s how it seems at least. We posted last year about entering an open season on hacking; hackers didn’t discriminate, anyone from Sony right down to a country pub were targeted by hackers for any number of reasons and it doesn’t seem to be showing signs of stopping. If anything, hacking is becoming even more prevalent, despite companies being more aware of the threat. The latest high profile target; UserVoice.
Who are UserVoice
Launched in 2008, UserVoice is a San Francisco-based Software-as-a-Service (SaaS) provider, specialising in product management and customer support programs. Their platform integrates into web and mobile apps, allowing customers to collect, manage and prioritise user feedback. UserVoice have 100,000 customers around the globe and promise ‘a more data-driven approach to prioritising your roadmap.’ As a result, any kind of breach of security could have lasting implications to their reputation within the industry.
UserVoice admitted in April that their backend administrative system was targeted, and a number of customer names, email addresses and passwords were accessed. No financial information was accessed, but it did raise questions about just how hackers were able to get into the system at all. UserVoice have also disclosed the administrative information within their organisation was protected with the one-way cryptography, SHA1 Hashing algorithm which is considered weak.
Why Is SHA-1 So Weak?
Back in 2005, cryotogtaphers proved that SHA-1 could be hacked 2,000 times faster than the creators originally predicted. At this time the hack would’ve been costly and time consuming, but as time has gone on and technology has continued to become faster and cheaper the risks associated with using SHA-1 hashing have become much higher.
In fact, in late 2014, websites with SHA-1 certificates expiring in 2016 were given yellow warnings. While SHA-1 is weak, if the data is hashed using a salt the chances of discovering the plaintext password is significantly reduced.
What Can You Learn From This?
65% of all data breaches in the current internet era are as a result of weak passwords, weak practices and being phished, so in order to protect your company, or your customers’ information from being attacked and breached, it is imperative to have solutions in place to mitigate against these issues. As mentioned in our previous blog, ‘Why Your Password Policy is Broken’, internal company password policies are often breached unknowingly by employees desperate to create a password that they are able to remember. This may be a very common password, something they use on other accounts or personal information that is easily identifiable. Where passwords have to be changed often, employees can fall into patterns, such as simply changing one digit of their password, which meets the needs of the password policy but creates a weaker password over time.
The important thing to take away from breaches such as UserVoice is that reviewing your password policy and your internal security measures frequently is key to future security. If you discover that any of these problems are relevant to your company, it may be worth investing in a Single Sign-On (SSO) solution or a full Identity and Access Management (IAM) solution to assist in this future protection.
What If I'm a UserVoice User?
UserVoice have already contacted their customers affected by the breach and are resetting passwords for all the users on its database, while additionally introducing new security measures to protect data such as:
- When users reset their password, it will be hashed with bcrypt instead of SHA-1
- Enabling stronger password requirements for all users
- Have reset the SSO tokens for the small subset of accounts whose token was compromised
- Adding additional layers of security around their back end data storage.
Our advice to any organisations using UserVoice would also be;
- Change your password
- Avoid using a weak password (incorporate upper and lower case letters, symbols, numbers, etc in unusual formats)
- Don’t use the same password on multiple sites (if you did so before the hack, change this password on all sites)
- Why not remove passwords altogether and replace with token-based (SAML) authentication.
How To Avoid Becoming the Next UserVoice
If there’s one thing to take away from this blog, it’s that any organisation can be the target for a hack and become the next UserVoice. In fact, 90% of large organisations and 74% of smaller organisations had a security breach last year (Source: HM Government Information Security Breaches Survey 2015). With 65% of data breaches being caused by employees themselves, controlling user access to applications is a key challenge to resolve in order to mitigate the risk of a data breach.
If you'd like to discuss any of the above topics above in more detail or find out how My1Login's Single Sign-On can protect your organisation, come meet us as InfoSec 2016 next month. Click here or the image below to arrange to meet us.