It’s your worst fears come true. You try to log onto your LinkedIn account. Maybe it’s Tumblr or even your Dropbox profile. Perhaps you’ve been thawed out after being cryogenically frozen for the last 10 years and attempt to access a new, Tom-less Myspace.
But all of them return an error. Your password has been changed. Spam messages start flowing from your hijacked account, flooding your news feed with offers for certain ‘enhancement’ pills. What other information did you have on there? How many other accounts have you used that same email/password combo on? How will you ever pull the pieces of your digital life back together?
Okay, maybe I’m being a tad bit dramatic here, but maybe not. In fact, over the last few years, all 4 of the above websites have had data leaks attributed to them. So, for many, sans being unfrozen, the exact scenario above could be much more fact than fantasy.
But how likely is it that your information was compromised in a breach, anyway? The surprisingly unfortunate answer is: pretty likely.
But don’t just take my word for it. Let’s take a look at the numbers:
For this very basic analysis, we’ll be using the data found on www.haveibeenpwned.com. Besides offering up a great tool to see if your email address has been involved in a breach, it also offers a comprehensive listing of events, along with the number of accounts compromised. Up to this point in time (the day that this blog is posted), the current number of “pwned accounts” stands at a robust 1,444,567,928. That’s billion, with a “B.”
But that’s not even taking into consideration some 500 million accounts reportedly exposed in the latest Yahoo! debacle. Using that nice, round number, our grand total swells to a whopping 1,944,567,928.
Now time for the fun.
According to everyone’s favorite information source, Google, the world’s population currently stands at about 7,125,000,000. Dividing the number of breached accounts by that number, we can statistically assume that ~27% of all people have had their account compromised.
But wait, there’s more!
Despite Mark Zuckerberg’s best efforts to bring the internet to the entire world, the sad truth is that really only about 40% have access to Reddit and silly cat videos. That whittles our population pool down to a measly 2,850,000,000. Other estimates put it at around 3.4 billion. Let’s go with the higher number.
Using our figure of 1,944,567,928 and dividing it by 3,400,000,000, we end up with about .57 (rounded to the nearest tenth). Using my elementary level math skills (which never progressed much beyond middle school), we can deduce that this comes out to around 57%.
So, relying on statistics alone, we can make a mathematical assumption that more than half of the population has had their information stolen.
Take a second. Look around you. See the two guys trading weekend warrior stories at the water cooler? One of them has their information for sale on the dreaded dark web. Scary, isn’t it?
Now, I should state my disclaimer here that nothing I’ve done is scientific in any way or takes into account the numerous factors that could affect the outcome of this experiment. This includes the glaring fact that many of the same people likely hold at least one account (if not more) across a multitude of these websites. That on its own would greatly inflate the number probably lower the percentage by a high margin.
But arguments can also be made in the other direction as well. The true number of compromised accounts could very well be much higher than what has been revealed. Case-in-point: although just recently discovered, it’s reported that the Yahoo! hack actually took place in 2014. It took 2 years for that information to become public knowledge.
So if the data isn’t exact, what’s the point of this blog?
Quite simply, it’s to put into perspective the massive amount of information that has already been stolen from these websites. And realistically, this is only the beginning. If these large, behemoth companies with virtually unlimited resources are vulnerable, it means that pretty much everyone else is as well. Unfortunately, you should probably operate under the assumption that your information has already been compromised.
What can we do to fix this?
As consumers, not much. It’s up to these organizations to implement better security. The best advice that can be given is: Don’t re-use the same login credentials across multiple websites. And when you hear about a breach, simply log in and change it. It’s also important to remember that your email is could potentially be in the hands of spammers, so watch out for fishy looking messages. All it takes in these scenarios is a little due diligence and everything should be all right.
As an organization, protect your email. Understand who has access to your Exchange objects and monitor what people are doing with that access. Want to learn more? Go here!
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Nate is a Marketing Manager at STEALTHbits and has worked in the IT Security industry for 5 years.