Password security bulletin

We’ve seen a recent uptick in compromised accounts recently across our customer base.  Last week alone we saw 2 separate Office365 accounts get ‘hacked’ and fraudulent emails sent out impersonating the account owner.

The account owners were vigilant and fairly immediately recognized that something was wrong, notified us, and we helped them regain control over their account.  However, before we regained control of the account, thousands of emails were sent to everyone in their contact lists with a malicious Word document as an attachment.

What was the “Hack”?

We had 2 separate customer report fraudulent access of their Office 365 Email accounts, likely via Outlook Web Access.  Both customers had reasonable, but not very long, passwords.  We suspect that the account password/ email combinations were used on other sites, and may have been included in one of the many password leaks in the past year or so.

What did you do?

We reset their passwords, enabled login auditing on their accounts for the entire domain, and enabled 2 factor authentication (when a new device logs in to the account, a text message is sent to the user’s cellular phone with a numeric code that they type in after they enter their username and password).

How can I protect myself/ my organization from this attack?

You can proactively do the same steps we did to mitigate the attack:

  1. NEVER use the same password in multiple places.
  2. Use Strong Passwords. We recommend a *minimum* of 15 characters.  We really like passphrases with some extra seasoning: “$My st1nky d0g h4s fl34s!” (Easy to remember, very, very hard to crack)
  3. Enable 2 factor logins – this is possible on both G-Suite (Google Apps) and Office 365.
  4. Enable login auditing (logging) in O365. We’re mildly horrified that this is not turned on by default in O365 (it is the default in G-Suite), but it’s trivial to enable and then you can see where/ when accounts log in and the IP addresses it’s accessed from etc.

Obviously if you use different passwords for every site/ system you access, you’ll never be able to remember them all.  We strongly recommend using a password manager like the Free and Open Source Keepass, LastPass, or similar to keep them all straight.  LastPass also has a mobile app so you always have access to your passwords even if you aren’t in front of your computer.

Next steps?

Calling your favorite I.T. Company is always a good step if any of the above sounds like Greek to you.  We’re specialists in geek (erm, we mean Greek…).