Most attention is given to data breaches counted in the tens or hundreds of millions, but there is also a continuous stream of small data breaches that make no headlines but present outsized risks to individuals and organizations.
In a recent analysis by Enzoic of breach data collected from the Internet and Dark Web, a full 90% of credential exposures had less than 5,000 accounts exposed, representing a very long tail of small data breaches.
The frequency and nature of these small data breaches suggests several risk factors that shouldn’t be ignored:
The larger breaches are more likely to be uncovered, either because these companies have breach detection tools or because word spreads from the hacker community to the general public and media.
Smaller and less sophisticated sites may never find out they’ve been compromised. Evidence shows that companies are often repeatedly breached over the course of months or even years – presumably because they never learned of the first breach and the vulnerability was still present at a later date.
This risk is then shared with larger companies because people often reuse the same password. This allows bad actors to use the compromised credentials to conduct credential stuffing attacks on multiple sites.
Either because the breached site wasn’t aware or because they didn’t send out notifications, users may not get the message that their account was compromised.
Without notification, users don’t have the opportunity to reset their password on the affected site or others where they may have reused the same credentials.
Again, this vulnerability is shared across small and large sites due to the password reuse issue.
Smaller sites are less effective at protecting the passwords stored in their systems. Enzoic’s analysis showed 96% of breaches with less than 5,000 exposed accounts were plain text, compared with 68% in larger breaches.
The availability of plain text passwords doesn’t necessarily mean they were originally stored that way. In many cases, they’re plaintext because someone cracked them before publishing, which highlights the very weak password hashing algorithms being used. While neither of these figures is good, clearly passwords are more vulnerable on smaller sites.
In the sea of data breaches, the ones that make the news are really only the tip of the iceberg. Organizations need protection from data breaches of all size.
One solution is to detect and prevent the use of passwords that have been previously compromised in 3rd party data breaches. This approach effectively hardens the password layer against risky password reuse behavior and the vulnerabilities from the numerous small data breaches that occur each year.