This past week has witnessed the release (i.e., black market sale) of two massive password files from social media website breaches, and there is an outstanding question posed by the timing and use of this data. Why now?
- The files from Tumblr and MySpace contain just under a half billion user credentials in total (65M and 427M, respectively)
- While the bulk are from the social media granddaddy that is MySpace, both files are old (3 years for Tumblr and 4 years for MySpace)
- The credentials from the Tumblr breach do not seem to have been misused prior to their release (some would argue that it could be a function of the salting and hashing, but at least some would have been cracked by now)
- Both files are being offered for sale on the Dark Web by the same person (who also offered the LinkedIn and Adobe data sets for sale)
What is clear is that the value of these credentials to fraudsters will inexorably decline thanks to the growing prevalence of stronger authentication, especially biometrics. For years (decades) fraudsters could rely on the fact that consumers typically reused passwords - meaning the password a consumer uses for Facebook or LinkedIn is probably the same one used to access online banking. The advent of mobile devices, including smartphones and tablets, has created a mechanism to more easily and inexpensively implement biometric authentication, and effective solutions have not only hit the market, but FIs are proving very receptive (nearly half of the top FIs in the US support fingerprint scanning for mobile banking, according to Javelin's 2016 Mobile Banking FI Scorecard).
The public release of personal information is certainly a bad thing in absolute terms, but this recent activity may be an indication that even the bad guys recognize that the era of the password is coming to a close (so they should sell any remaining inventory before it is too late).
The end of passwords? That is certainly a good thing.