Largest Data Breach in History: What You Need to Know

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we talk about what's being called the largest

data breach in history, a massive 16 billion login credentials exposed

across 30 different databases.

I'm joined by my co-author, Dr. Mike Saylor and my co-host Prasanna Malaiyandi.

And we break down what this means for you and your organization.

We'll talk about how this is actually not one breach, but a compilation of a

number of breaches stolen, using probably info stealer malware, why your browser

habits might be at risk, and what you need to do right now to protect yourself.

Mike shares some uncomfortable truths about browser security that,

uh, might make you question those.

50 tabs like I have.

Anyway, uh, this is a really good episode.

If you don't know who I am, I'm w Curtis Preston, AKA, Mr. Backup,

and I've been handling backup and recovery for over 30 years ever since.

I had to tell my boss that we had no backups of that production database

that we had just lost . On this podcast, we turn unappreciated backup

admins into cyber recovery heroes.

This is the backup wrap up.

Welcome to the show.

Hi, I am w Curtis Preston, AKA, Mr. Backup, and today is a special day.

We actually have a couple of folks with us, and of course.

We will start as always, with my favorite world traveler Prasanna.

Molly.

Andi, welcome back to my time zone.

Thank you Curtis.

It's good to be back and I think my jet lag is crossing

my fingers almost all gone now.

I, uh, am no longer waking up at like three 30 in the morning.

Um, it was great from a productivity perspective because you can

get a lot of work done when no one else is awake, but it

Yeah.

kind of painful when you're trying to stay awake at like 6:00 PM so I'm glad to be

Right.

time zone.

Yeah, I can, I, I can understand that.

And we also have like, I don't know, I'm gonna say the best co-author

I've ever had since I've never had another co-author, Mike Sailor.

How's it going, Mike?

It's going well guys.

Good to, good to be back on the air with you.

You and I are, we are in the final throes of the rough draft of our upcoming book,

learning Ransomware Response and Recovery.

Um, it's, um, I, I, what, what's it been like for you to, to, to write this?

I will tell you it's been, uh, it's been great for me, uh,

having a co-author, uh, the,

Have it only do, have to only do part of it.

Absolutely.

Well, and, and, someone, uh, someone that I can say, uh, you know, we're,

we're right there together, right?

So, uh, I'm

yeah,

because we're both behind.

yeah.

There is.

There is that.

There is like we're constantly, yeah.

Um, and um.

Yeah, it's, it's been great.

And, and I like that, you know, there, obviously there are areas where, you

know, I'm the SME and there's areas where you're the SME and there's, and, and,

and many of those areas we often pretend to be the SME, uh, 'cause, you know, you

gotta fake it till you make it right.

But we, it, it's great that we have, we could say, okay, look, I,

I did this part of the chapter and I really need you to take a look at it,

Right.

to make sure that, uh, you know, it's, it's correct.

Um, and that's been great.

How you guys are splitting up the book between Mike dealing with a lot

of security stuff, you dealing with

Yeah.

stuff, it's just like an organization, right?

If the two organiza or two business units, right, security and backup

don't talk to each other, right?

Then you're gonna have a very poor ransomware recovery, um,

solution as a company, right?

Yeah.

Versus if you actually work together, then you can actually come up with great ways

I.

and recover from these issues.

So what

Yeah.

And

is exactly how like

We're setting an example, Curtis,

Exactly.

we're setting an example and it's great because, you know, even on the areas

where you know, you know more than I do, or I know more than you do, like.

We're still giving feedback on that area.

Right.

Um, and, um, because even if you're, if you're not a specialist in something,

you can still, uh, you know, Prasanna, we joke about, you know, when you first,

you and I first started doing this recording, you know, so you said you

were playing the dumb guy in the room.

You, you were, you, you have been, although you were absolutely

not the dumb guy in the room.

One of your best traits here is that you ask really great questions, right?

And, um, so yeah.

Anyway, so I'm, I'm excited that we're getting, um, you know, really close

to being done with the rough draft.

Then we just have to edit.

Um, and hopefully there's not too, you know, and we go through the

tech review process, which is, uh,

so

um,

when can they

yeah,

this?

Is

Well have

that's a great question.

there is a.

this year?

I.

is an early release version already out there and Curtis, I don't know if you've

looked at that, but they weren't kidding.

Yeah,

unedited, I mean, there are spelling mistakes and I mean, I was

yeah,

did

yeah,

it out?

yeah.

If you sign up for the O'Reilly Learning Platform, uh, you can get the, you

know, the, you can get a, you can get access to the, um, to the 100%

there's

unedited.

Um.

Yeah.

Yeah.

Um, and we've written now like 10 or 11 chapters.

Uh, so they get, it goes through some, some review, but very, very

little, and then it goes out.

So yeah, you can get, uh, access to, uh, the unedited version now and, uh,

I

yeah.

look at the unedited version of chapter one, it's gonna look a lot different than

the final version from what I understand.

Uh, I did see the, the editor's notes on.

Uh, some of the, some of the things that I put into chapter one that

Mm-hmm.

take out, but I think chapter one, as it is, has a ton of information, even

though it might be kind of, uh, diluted a little bit to, to line up better with

the, the chapter flow and although the book flow and, and some of those other

Yeah.

early

Yeah,

one, I think is a value,

yeah.

Yeah.

So, uh.

Yeah.

Yeah, yeah.

It's been, um, yeah, it, it's, you know, because for those that don't

know, . There's a copy edit review, but there's also a tech review, right?

So we have a team of people who have Google Docs, uh, access, uh, not a

sponsor, um, Google Docs access to, uh, you know, basically the, the chapters

as we finish them, we give 'em in there.

They have a folder they go in and then they, you know,

they tell us what they think.

Um, and that's, that's, I think that's one of the best parts about how O'Reilly

writes books, um, is that that copy at Pro and you can invite as many people as

you are willing to take, uh, input from.

Right.

Um, so, um, Mike, I brought you in today because, uh, you know, there's

this article that, you know, I, I happen to see it in Forbes, but,

this, this, this link in Cyber News.

It seems to be original reporting.

Um, but there is this, this, you know, they're, they're calling it

the largest data breach in history, including 16 billion login credentials,

which for the record is two logins.

Per human on the planet.

Um, that's a lot there.

You know, they're saying there's over, there's gonna be overlapping credentials.

We don't really know what the credentials are.

We don't know.

We don't know where they came from.

Um, and so I just thought it'd be a great time to bring you

on and talk about this stuff.

Um, where do you think would be a good place to start?

Just give your overall thoughts about this, this, they're calling it a

breach, but I, I think it's actually many different breaches, right?

Well, I think similar to the Farmer's Almanac where we can use historical data

to predict future events, uh, I think we need a cyber almanac because this,

this, uh, largest breach in history happens about every two to three years.

Uh.

So there's this cycle, um, and the cycle is, primarily driven by complacency.

So this bad thing happens and we get really diligent and aware,

and then that dwindles and then the bad thing happens again.

And then we're hypervigilant and aware for a period of time and that just wears off.

And the, the things that we do to try to keep people more aware, um,

unfortunately don't rise to the level of newsworthy.

Right.

So being in the news is what concerns a lot of people and companies, and

everything below that is just kind of stuff we have to check the box and

do, and don't pay much attention to.

Um, and so I think that's, that's what drives a lot of the, the vulnerability

that results in these data breaches.

Um, but in this case, the, you know, it's just another large data breach.

Uh.

the idea that, you know, two, two credentials per human on the planet

and, if you narrow it down to just humans that have internet access, it's

probably more than two per person.

Right.

probably have.

Not to mention, not to mention adults and or people old enough to, you

know, use the internet, you know?

it's, the adults are probably the ones that got compromised.

The younger kids are like, there's no way, you know, my, my

stuff's gonna get compromised.

They, they do all the right things.

Uh, it's, it's

Right.

uh, in the, in our older years that are still trying to get acclimated

to, things that the, didn't,

Yeah, I,

we still don't read the manual.

Right.

right.

What's a what?

they

What's a manual?

Maybe AI reads it to them or their friends.

It's all peer, peer pressured, uh, security diligence, uh, on in the

Right?

younger crowd.

I have a. Question for your clarification.

So they talk about this as a data breach.

In my mind, a data breach involves sort of an attacker gaining access to

credentials by attacking the provider.

So a Facebook, a Google, a Apple, right, or LinkedIn, right In this.

Whatever company it is.

Um, but I was reading another article on bleeping computer where they mentioned it

may not have been a data breach where the provider was, uh, breached, but it might

be like an info stealer where someone had installed something on the user's laptop

and had stolen credentials that way.

And so I just wanna get your thoughts on that,

Sure.

it's like 16 billion passwords.

That seems like a lot.

I don't, I don't have the book here on my desk, but there's a

good book, uh, written by Sean tma.

He's a, he's an attorney, specializes in in, in cyber and, and incident response.

And his book is about the need for general counsel

uh.

It leadership to have a good relationship.

And one of those, one of the things he speaks about in his book, and

something I harp on a lot is what is the definition of an event?

An incident and a breach?

Because those may be different to different organizations, but they are the

same among insurance companies, law firms, you know, when it gets to litigation.

So if you use the term incident when really it's not, you've,

you've got that communicated out.

As an incident that can be used against you?

In your, in your example, uh, uh, a laptop was compromised with, uh, we,

we call it a credential harvester.

Uh, so its objective was to, to, to identify and exfiltrate

login, pa login IDs and passwords.

Mm-hmm.

so thinking, uh, or, or the thought perspective that.

Uh, that approach was not a data breach or a breach, and I think there's,

there's two different, there's a data breach and a normal breach.

There was a breach that allowed this malware to get on a computer, and

then that resulted in a data breach.

And even then, there's definitions there.

So is the, is the theft or collection of credentials really a data breach,

or is your data breach defined as client data or financial data or

So,

data?

And who's

Well, let me,

Oh, sorry,

well, let, let me follow on that, Mike.

So, so really it wasn't a breach, it was millions of little breaches.

Right?

So you're saying that in this case the breach was the, the end user's laptop.

Right.

And then this info stealer grabs all the passwords that, that, um, user

happens to, uh, interact with during the time that that malware is present.

Right.

Um, and so what I, I think what Prasanna was saying is it wasn't a breach

of Google or a breach of Facebook.

It was a breach of these individual people, uh, you know, and then

their, their information was stolen.

Is that, uh,

and, and,

go ahead.

a, that's a good, um, uh, a good of, of that situation.

But if, if we, if we bring it up a level.

Mm-hmm.

bad guys aren't gonna think, oh, we need to compromise 8 million

people to get the passwords we need.

They're gonna

Mm-hmm.

what do 8 million people generally use?

Well, they use third party apps on their phones.

They use, uh, cloud, cloud services, they use public wifi, so they're

gonna strategize about the lowest effort to get the most return.

so compromising 8 million people is not low effort, so they're gonna.

Think of what, what is the most common denominator and

let's go attack that thing.

'cause that thing

Okay.

a million user credentials.

And then let's take the example of a, a, a password vault.

I don't have to hack

Right.

If I hack the, the password vault that a million users are using, I

don't just get a million credentials.

I get.

you know, one to many credentials per user that's using the password vault.

So

Right.

And that's what happened in the prior biggest breach in history is bad guys

went after all these third party apps that, that are seemingly, you know,

not a big deal, uh, that don't have the robust security that you know more the.

Um, you know, leading, leading apps like Facebook or Google would have, they

don't have the, the robust security.

They're just a, a mobile app that was maybe designed with best practice,

but not, you know, good cyber, you know, maturity or, or what have you.

So they, they, they attack these third party apps and sure, maybe I'm only

gonna get Curtis's one credential.

But I know human nature that Curtis's One credential in this third party app

is the same password that he uses for his bank or his business, and what they

found in that prior breach Was, even though it was a third party app, people

with.gov.edu dot mill, they were using that email address and those credentials

to sign up for that third party app.

So now I have

Mm.

work account because you use those credentials and 'cause

we're lazy humans and bad

Right.

So in this case, I think it was a combination of info stealers.

So whether that's just embedded malware and stuff we download like.

You know, pirated movies or software or templates for PowerPoint

or you know, whatever it is.

So there's that, but that's the.

the, probably the smallest percent of, uh, compromised data.

But then they're gonna go after, um, you know, these, these other data sets.

And so that dataset could be at a, a third party app.

It could be at a cloud service, it could be anywhere, because that's

the, you know, that's throwing the, that's throwing the net instead of,

you know, the single fish in line.

and then, you know, there's no honor among thieves.

You know, they'll steal from each other also.

Uh, but they also, they also

Hmm.

with each other, so.

Um, I don't know if you've ever seen some of the, the, the kind of funny commercials

where there's two people that, that are selling something right next to each other

and one has four melons for, you know, $4 a piece, and the other one has six

melons for, you know, three 50 a piece.

And the

Mm-hmm.

aren't selling.

So he makes an offer to the guy with six, and the guy with six

says, I'll pay you $2 a melon.

And then he has those melons and raises his price to $5.

Right.

So that's, that's normal business.

Well,

Yeah.

doing that too.

So I can, I can get a million credentials and you have 250,000.

I'll give you something for your two 50 because 1.2 million is

more valuable than my million.

And

Hmm.

deals like that.

And there are, they're, I mean, data brokers is a job, uh, that bad

Right.

uh, so.

Collection, brokering, selling, uh, uh, using, uh, those credentials.

Those are all different, uh, parts of the, the bad guy ecosystem.

And so this, this biggest breach is probably a collection

of a lot of different things.

Yeah, and especially if you could start linking together different

pieces of data from different websites or different aspects, like maybe

one breach has addresses and email addresses, another has like email

addresses and social security numbers, or emails and logging credentials.

And so now you're able to piece together, basically you're

building the user's profile.

Well, and, and to make it even kinda worse, scarier, uh, it, um, you know,

now let's, let's involve ai and so I can give AI this data set and tell

it to go out to the world of things.

Just everything that has a login portal, try all these credentials.

And so

Hmm.

and, and if I have five of Curtis's credentials.

The AI's gonna try every combination of all those five things on this one

portal, and it's gonna do that in an automated, um, you know, hands-off

fashion that bad guys are just gonna, you know, they, that that's when

they're gonna take a, a, a longest vacation they've, they've ever had.

But, um, so they're gonna try all of those, those all these credentials

on that next data set that may have more credentials for that one user.

so this is just gonna grow now that they have.

A library of credentials.

They can, they can try on any number of things.

Um, so what.

Man, so many, so many questions.

So in the, that article that I was looking at, they mentioned that some of the data

sets appear to have, uh, session IDs and, uh, you know, handshake credentials.

I think that's the right term.

Um, what, what does that tell you in terms of, does that tell

you anything in terms of how that particular data was, was taken?

there's two ways of collecting that kind of data.

One is from a browser.

Uh,

Mm-hmm.

was, uh, either infected or you concurrently or coincidentally, uh,

went to an infected website while you were logged into something.

and so

Hmm.

I'll, I'll, I'll give some, some kind of ps, you know, public service.

Uh, at this point, if you're logging into something sensitive like your bank

or your retirement fund, or your health

Mm-hmm.

or your health records, don't do anything else while you're doing that, right?

So open a browser window fresh with that one tab.

Log into that thing.

don't open any other browsers or, or windows in, or tabs in that

browser while you're doing that.

And when you log off and do, click the log off, that's gonna send the

end session note, uh, notice to the, to wherever you're logged in, and

then close that browser and reopen it again to do something else.

So that is going to completely end your session with that, whatever that.

That, uh, activity was, and if

So as, okay, go ahead.

I was just gonna say, if you don't, if you don't follow those

guidelines, you could end up on a bad website or, uh, have a bad plugin.

'cause there there are, there is such a thing, a, a, a malicious plugin and they

can steal not only your session, but also your multifactor authentication token.

They can

Right.

that through the browser.

it to replay your, your authentication to that site while

the session is still active.

And that's what's important about logging off and closing your browser.

Okay.

Okay.

So that, so those two pieces of information are only

valuable at that moment.

Um, uh, but, but as long as that session is active, they could take that data

and then basically pretend to be you.

Yep.

And the other way to do

Okay.

they've got, if they've compromised your, your whole computer, then that stuff

Yeah.

cached in memory and temporary internet files and yeah,

Yeah, so, so let me make sure I understand.

As a person who's currently sitting here with, I don't know,

57 tabs on his browser, um,

Bad

is this, thank you.

Uh, I, I'm, I'm just learning this now.

Um, so I mean, you know, I'm doing a, a lot of the other

things that are good Right.

You know, from a obviously password manager and, and, and I do.

Um, uh, but my question is, when you talked about that, so like right now

I have a separate browser, uh, session that is, um, that being used for

this and it's not part of the, the, the cluster o tabs over over there.

I, is that what you're talking about, like, or is it, does it need to

be like, do, do, does that window with all my other tabs, does that

need to be completely shut down?

Are you just talking about inside this little session right here that, because

I have like three tabs on this session.

browser, like edge, even if you

Yeah,

tab out into its own window, it's still part

it's still the same.

Yeah.

Okay.

Well that's not the answer I was looking for, Mike.

So thanks.

so

Um,

do, so my, and, and this is what I do because I log into so many

Microsoft environments, I can't, I

um.

you know, my Black Swan account plus the, the colleges I

teach at plus the nonprofit.

I can't log into all three of those or more of those, uh uh, Microsoft

accounts in the same browser.

it's gonna, it, it logs me out of the other if I log into to one of these.

So I have to have different, so I use, I use all of them.

I use Firefox, Chrome, and, and so I'm, I'm

So you go between them.

can you

Interesting.

just use incognito when

You could,

using

however, uh, incognito or the in private browsing doesn't, doesn't, um,

cookie?

has an issue with maintaining your session between, like, you can log

into web mail, but if, if, uh, like oh 365, but then if you want to go

to SharePoint, it, it has an issue.

Or Teams, teams doesn't work in an in

Uh.

uh, browser.

So there's some

Also my password manager, which is browser based, um, doesn't work in incognito.

problem.

People even, even even in, in, uh, acceptable use in company policy that

says, don't, uh, you know, don't auto save or autofill, but then you get this

browser that keeps wanting you to do that.

And so at

Yes.

people are gonna go, fine, stop asking me.

Just do it.

And now we've got credentials saved in browsers.

And that's the other thing too, with multifactor authentication.

If you log into O 365 and Edge.

And it goes, Hey, uh, you know, you've logged in good.

I sent you a code to your phone or, or your, or your, uh, your

MFA app, and you enter that code.

A lot of people check that box that says, remember me so I

don't have to do this again.

Well, guess what?

That MFA token is now stored in your browser bad guys can steal that.

Yeah.

Hmm.

True, true.

Like effective MFA requires that you do MFA every single time.

Every ti.

Every time.

Yeah.

So.

So going back to the breach, right?

So there are a bunch of passwords, right?

And you mentioned Mike, that hey, you might be reusing your password

across multiple accounts and all the rest, so now it's available.

What about for those who say like Curtis, who says, Hey,

I'm using a password manager.

I don't need to worry about this breach because I have a password manager

that's auto generating passwords.

I'm not using it across multiple sites.

this something that they still need to worry about?

they do because you don't know what was, what was taken.

back to the, the session.

So if, if I logged in today with a password and I did not log out,

but at some point it, it maybe, I, I read this article and I think

I need to change that password.

And so I used my phone 'cause I read this on, you know, at the airport,

uh, I used my phone to change my password, but my computer at home

is still logged in with the old one.

Them.

So I still have an active session with the old password.

So depending on what bad guys took, was it the session?

You know, all the session information, you know, was it the old pass?

Whatever it is, they still may have access if you did not log off, close

your browser, you know, all those, all those things, uh, it's still possible.

Hmm,

So Curtis,

I am really not liking this recording, Mike.

This is not one of my favorite, uh, sessions.

it's a constant, it's a, historic battle, you know, uh, fabled tale, you

know, however you wanna say it, the, the battle between convenience and security.

Uh, I

Right, right.

that's why convenience stores get robbed, right?

They're convenient, they're too convenient, so.

The, if they're open 24 7, the door's not locked.

There's one person in there.

It's too convenient.

Uh, you have to find the balance, and the industry is still catering to the

convenience more than the security.

So the

Mm.

says, oh, we need multifactor, but then what we get is, well, you can just save

that so you don't have to do it again.

And then we get

Right.

do you wanna maintain the session?

Do you want me to remember you?

Do you All these things that just make life easier for us as consumers and

users that are still catering to the bad guy's ability to, to compromise us

Having 50 tabs open that shouldn't allow that.

um, uh.

It's not 50, it's like 47.

But, um, I'm working on the book, Mike, like I got stuff going on.

Um, but I wanna say, I, I do wanna say that it's not just, you know, like.

So, so there's a lot of people I think like me that are trying

to do the right thing, but, but aren't doing all the right things.

Right?

So it sounds like I, I need to add a new right thing, which is to stop

doing this, but it, it, look, I, I'm, I'm just trying to figure out like

how that changes my workflow because a lot of the reasons that I often have

a bunch of tabs open is 'cause, so I don't have to remember which ones.

You know, where I have the 57 different articles or whatever.

Right.

Um, wow.

The number just went up to 57.

But I do think that if that's interesting about the saving of the, the saving

of the account, um, I. Uh, but I do think that password management

plus MFA is a big deal, right?

Um, those two things I think MFA is, is good, MFA, right?

Not, not using your, your phone.

Um, and that, um.

And having a, and not just using a password manager to putting in

the biggest password that you can.

Right.

So to, to lower the chance of guessing.

Uh, but I do think those two things together with MFA reduces your,

your chances of, of being in touch.

Even if they got the, the username and password, uh, they

wouldn't necessarily be able to.

Breach your account if you have MFA enabled.

If you don't have the thing you were just talking about, about the

stealing it from the browser, which is a little disconcerting, but

Well in the.

what do you, what do you think about that comment?

I.

So there, there's, there's pieces to, to, to good cyber, uh, diligence.

There's the, the thought, so I want to do this.

There's the application of that and, and the, the good,

the good application of that.

Well, then there's, it doesn't matter how good you are, it's

gonna happen at eventually, right?

So you, you can have the best setup ever.

Bad guys really want what you have.

They're, they're gonna get it.

So the, the

That's kind of the, that's kind of the point of, that's kind of

the point our, of our book, right?

We're basically, we're going from an assumed breach.

You're going to get

mm-hmm.

so you need to set up the, you know, you need to set yourself

up to be able to respond to it.

Anyway, go ahead.

And absolutely so that, all right, so I think I'm doing everything right and

then this biggest Breach Ever article comes out, how do I know if I, I'm

compromised and what can I do if I am?

Uh, how would I know?

And so that alerting is, uh, is important.

So I always get, I, I've set up as many accounts as I can to tell

me when weird stuff happens or if just unexpected things happen.

Like on my bank account, anything over a dollar in or out, I get a text message.

Mm.

I know I I, and, and it happens instantly when I'm at the store or buying.

I used to buy gas, uh, or a car wash, uh, I'd get a text message,

right then you spent this, or a deposit or a wire or whatever.

At least I know, and I have a transaction log there, so immediately, and I do

not, um, you know, you, you wanna do it smartly, so you're not over.

You know, you, you don't become, um.

Uh,

Fatigued.

fatigued by it.

You're right.

You, you

Yeah.

at it every time it happens.

Alright, well you can do the same thing with a lot of your logins.

Like with Google, it'll tell you when a new device connects to your account.

Uh,

Right.

uh, same with LinkedIn.

And LinkedIn did something, uh, new recently where even if I'm logged

in, in one tab, if I open a new tab, it has the security feature to make

sure I'm not a robot or something.

Hmm.

I've

Mm-hmm.

That's just happened in the last week or so.

but for as many of your accounts as possible, definitely turn on MFA.

Definitely turn on any kind of logging, especially your financial accounts,

uh, and alerting, uh, and set those thresholds low so that you're, I mean, $25

is still a lot of money to some people.

I've set mine at $1.

same with your, your credit cards.

Uh, all those things.

Just look at what you have and the capabilities of alerting you, uh, and,

uh, auditing or logging in that stuff and use 'em to the extent possible.

Alright, well then.

So now you're breached.

What do you do?

I've asked so many people, you know, cyber, cyber isn't relatable to a lot of

people, so I, I bring it back to identity.

What would you do today if you learned your identity was stolen?

I have no idea what's gonna happen.

So you might wanna look into that the timeliness, just like

in cyber, fast and effective you respond makes a huge difference.

So, if you get an alert today that your identity's stolen and it's

Friday at, you know, Friday morning.

Are you gonna spend the rest of your Friday dealing with that?

Or you're like, I'll deal with it after work.

I've got too much to do today, or I don't, I have no idea.

So I've gotta call somebody and wait for them to call me back.

Well, that's time that bad guys are now opening accounts and doing a

bunch of fraud, and who knows what I.

I,

Interesting.

it's very uncomfortable talking to you, Mike,

So

like, I don't know.

I don't know what I would do right now if, if I got that, if I got that alert.

Right.

Um, I mean, the good news is like, so one of the things I do Prasannally, you

know, when you talk about like, identity stuff, one of the things I have is like, I

have all my credit reports locked, right?

Or frozen, right?

Because fro free freezing, I dunno what the difference is between freezing

and locking, but freezing is free.

And, um, you know, I've got them all frozen.

Uh, and so, so that at least I've got, I, I've got a relatively decent.

Uh, belief that they're not gonna go and open, um, random accounts in my name.

But, um, anyway, prana, you were, you were about to say something.

two questions, Mike.

the first is with this password breach, I, when you look through it, right, a

lot of it is like login and password.

I know one of the things you mentioned is, hey, if you had

logged in with your E or used your email address as your login, right?

Then they might try that same combination across multiple different

websites and other things like that.

Um.

One of the things that I started doing recently is I don't use the

same username across all my sites.

Just like you don't use the same password, why is there even a

need to use the same username?

And it bugs me when websites don't allow you to use something

other than email address.

Well,

Hmm.

cool, what's cool is if you use a Google email address or Gmail.

A lot of people don't know this.

so let's just say my, my as an example, let's say my, my Google,

my Gmail is Mike at gmail.

And I want to create an account with Facebook.

I can do Mike Facebook at Gmail,

Hmm.

and I still get the email to Mike at gmail.

Gmail allows you to do that.

That, uh, I don't know, I don't know what to call it.

That, that add-on, that extension to your primary username, which does two things.

It allows you to use different.

Credentials, uh, with your Gmail account, but it also allows you

to know if that account ever sold your information to a third party.

So now

Right.

unsolicited spam using that email.

You're like, yep, that's where that came from.

And you can shut that

What,

Just a

what?

But, so

oh, sorry, Curtis, before you,

go ahead.

a quick question, Mike.

Is it a dot or a plus?

Because I've seen the Plus.

I haven't seen

Hmm.

So

Maybe it is.

Maybe it is a plus.

Okay.

But don't the bad guys.

Just know that and just take the plus off.

They could, but they're lazy.

So they're gonna out,

Oh, okay.

out of these

This is like the, this is like the bike lock theory, right?

Just make it a little bit harder than the other guy.

Right.

Okay.

so,

Okay.

I.

my first question, and the second question I had is, I know you also talked about

session tokens and being able to steal it in the web browser, and nowadays

there's a lot of push on pass keys.

Do pass keys change any of what we're seeing today in terms of these breaches,

uh, from like info stealers or things happening in the web browser, et cetera?

They, they do currently, you know, back in the day, if you remember back in

the day when we had the RSA token, so if you wanted a remote access in, you

had to have this little dongle and you push a button and it tells you a code.

Well, that's all math based and that's what sessions and all

these tokens, it's all math based.

And even MFA to a degree, when you have to enter a code, that's all math.

Because how in the world would the, the place I'm logging into know

that the code that I got out of this third party app is, it's all math.

Right?

and so currently, and, and we'll back it up a bit.

So the, the different factors of multifactor is what you have,

what you know, and what you are.

So biometrics is what you are, and even where you are now, GPS, uh, so

biometrics, face, eyes, fingerprints, what you know is your credentials.

What you have would be a dongle, like a pass key, uh, like an UBI

key or an, is it ubi, Obi, UBI Key,

Ubi.

uh, and then where you are.

So I can only log in with what I know, what I have, and.

Where I am, like I can't log in from the Middle East if I have that

configured and, and if, if it's not configurable, then you can alert on it.

'cause a lot of those geo ips.

But then if bad guys know that, that, but again, back to 8 million, they're

not gonna know to try, you know, I'll go to VP n into Dallas, Texas to make

sure I can log into Mike's account.

They don't know that that's an evolution of their attack and that's not gonna

They know it now.

That's, yeah,

They know it now.

I, I do know that I, I, I give out misinformation from time to time.

Uh, I, I've played this game, uh, but yes, what you have like a USB

and, and, and, and there's actually a USB, uh, called an iron key.

Uh, that's pretty, pretty legit.

It's military grade.

If you pry it open to try to get the data itself destructs, it's

kind of mission impossible stuff.

it's not only a storage USB, it's also a password manager and a pass key.

And so to your point, if even if I knew my credentials and I had MFA, it's still

wouldn't let me authenticate if I didn't have that plugged into my computer.

To, to get that, that

Hmm.

bit of math, uh, from the pass key to, to add to it.

Gotcha.

Hmm.

it looks like pass keys would be secure from the sort of data

breach that we just saw, or the

If your computer's not compromised,

Okay, so let's say your computer was compromised and

someone stole your pass key.

It somehow figured out how to steal

so the way,

let's say.

that would work, all that authentication happens before your session.

Mm-hmm.

Right.

So once I'm fully authenticated with however many factors of

multifactor I've used, I now have a session and a session key,

Mm.

And a token.

So if my computer's compromised, the bad guy just has to wait until

you've finished authenticating, and now I can steal that and use it

Gotcha.

unless you're

Yeah, if your computer's compromised it, it seems like all bets are off, right?

My thing with, so far, I've been trying to use PAs keys where I can.

My thing has been that, um, the, the vendor, you know, the

website, um, their implementation of PAs keys has been very varied,

back to the

right?

They, they've gotta cater to the lowest common denominator.

Yeah.

And, and the, the one that, the one that, um, is the least helpful.

And, and again, it's that, that the, um, the convenience

versus security into it, right?

Which I use quite a bit, right?

I use, I use QuickBooks and I use, uh, TurboTax.

Um, the way they implemented Passkey is that every, if, if

I, if I choose to use a passkey.

It requires me to, and again, I, I use Dashlane, right?

And, um, Dashlane doesn't do this elsewhere.

When I go to put in the pass key, it requires me to enter my Dashlane password,

which is something I normally don't enter every single time because I, you

know, again, convenience for, right.

Um, and, um.

It's just, it's a really long password.

Uh, whereas others, it's like, if I'm at this computer with this login,

you know, um, I'm not sure, I'm not sure how it all works on behind

the scenes, but anyway, I dunno.

Got, I hope that part just doesn't make me sound.

versus

It's that convenience.

Yeah.

Yeah.

Um, it's just like with, with the password manager, uh, I deliberately

made a, like a very long.

Password.

It's a very long password, but it's an easy password for me to remember, but it's

quite a bit to type if I have to type it every single time, you know what I mean?

Um, anyway, um,

back to

yeah.

earlier about your 50 tabs,

Yeah.

and not wanting to remember.

You know, or forget how to get to an article or something.

Uh, create a, a text file or a notepad on your desktop and just put all those

URLs in there and they're clickable.

Um,

Yeah.

and, and that way you can just go back and forth.

We do that a lot when we do security assessments.

'cause you go from one, one host or, or one, uh, target to the next.

And you want to keep notes, uh, without

Mm-hmm.

open because tabs consume resources.

If you look at your task manager right now.

Uh, whatever browser you using, it's probably at like 700.

Uh, gig of

That's why I have 47 gigabytes of Ram.

Um,

you

Mike, um.

You've, you've addressed the convenience part all.

Um, uh, all right, so what would you given, given this thing has happened?

Um, you know, other than the usual of, you know, password manager and MFA and,

uh, and I like this and, and honestly, I, I don't know how, I didn't know

this before, the whole browser thing, and I'm definitely gonna rethink that.

I think for me, what I'm gonna do is I'm going to switch to a different.

Browser, like a different product.

I, you know, I pretty much stay in the same browser all the time, but

I'm thinking that for things that are dangerous, like bank stuff, right?

I'm thinking about using a completely different browser product.

One that is supported by my password manager, which it

supports like the top five, right?

Um, and.

Uh, and when I'm doing bank stuff, that kind of stuff, I go there and use that and

then do the things and then that minimizes the, I'm not, I'm not sure how good I'm

gonna be at closing all my 57 tabs, um, because you know, when you, what's that?

Ease into it.

He said, so make it 47 tenths.

Um.

tomorrow, 38 next week.

30

Yeah.

You sound like, uh, back when my, um, when my doctor was trying to get me

to give up, uh, sodas, she's like, you know, 'cause I was, I was, I

was, at one time I was drinking like, like 2, 2 6 packs of sodas a day.

That's a lot.

And there were diet sodas, but it, but it was, it was causing, uh.

Yeah,

Yeah.

Yeah.

Um, and, um, uh, well, it wasn't, it was the, it was just the sparkling

water stuff, but what it was, was it was causing me, uh, it was

causing me, uh, shut up prassana.

I didn't ask you.

Um, it was causing, uh, digestive issues.

Yeah, yeah, yeah, yeah.

Anyway, she's like, you know, you don't have to go to zero, you know, you

can go to like 10 and then, you know.

Yeah.

Anyway.

Anyway, uh, okay, so.

I like that.

What about, you know, h how concerned should people at this

point, should they go out and like change a bunch of passwords?

That's what, that's, you know,

It's probably something they need to do anyway 'cause they're using, they haven't

done it and who knows, maybe never.

Uh, but

I.

to think about and, and, and you know, like for me, I've got dozens of accounts,

so, which I don't have time to do that.

Well, if you don't have time to do all of them, focus on the important ones.

Your bank.

Your primary email accounts, uh, all your, all your financial health, you

know, Prasannal record stuff, change those, but then uh, or, or at least

put some thought to, do you have like password recovery accounts?

So, you know, Mike at Gmail is the one I use every day, but if I,

if I get locked outta my Facebook account or someone compromises

it, or I can't remember the email.

A lot of times that password reset does not come to the email

account that you use to set it up.

It comes to, you have to create some other accounts,

Right.

your, your spouse or you know, some, you know, Mike too at Yahoo or

Yeah.

Uh, so, and, and those are accounts that people have forgotten about,

you know, years ago also, that, you know, I've never had to do that and

it's just outta sight outta mind.

So you've gotta remember that too, because.

you, if if bad guys have your Facebook account today and you change the

password, and they go, well, oh, I'm gonna, I'm gonna try to for, you know,

do the, I forgot my password because I've also got the credentials to

your Yahoo and your Gmail, and if you didn't change those, then I've got the

link to reset your Facebook account.

Uh,

Yeah, I like that.

that.

And

I like that.

Yeah.

For me, by the way, it would be the Amazon, I gotta change my Amazon

password 'cause it, you know, I buy way too much stuff over there.

account.

And that's the other thing

Yeah,

Do not store your payment information.

That's just as

yeah,

as storing your.

yeah.

Your password.

So if, if someone got into my Amazon account, you could see my order history,

but you couldn't buy something new.

'cause I don't store my, my payment information

Right, right.

and, and I've entered my payment information enough that I've

got it memorized so I don't have to go look for my wallet.

I can just bang it out.

So the back to the browser though.

So using different browsers is, is great.

That's a great first step.

But also configure them well.

Do not store passwords.

Do not store payment

Yeah.

Uh, it would be difficult for a lot of people, but you can also

configure it so that it deletes all your session data and history.

Every time you close your browser.

Some

Hmm.

to just start typing and it remembers where you were.

Um.

That's not, you know, your history's probably not as important as

your session data, uh, but you can configure that to, to purge.

Uh, more often than never, I.

All right.

Interesting.

Well, I think you've given us enough to think about.

Um,

spending this weekend, uh, updating all of his, uh.

yeah.

I,

Procedures.

I, I, I do think I'm gonna go out and change a bunch of the, the, like you

said, the important data passwords.

Um,

um, you got me a little freaked out, but, uh, but like, you

know, there, well, whatever.

Anyway, I'm not gonna argue.

I know I'm in the wrong whatever.

Um, but, uh, so tha thanks again, Mike, for coming on.

I do what I can.

You'll, you'll, you'll lose all of your hair like me at some point.

And thank you again, Prasanna.

No thank you, although I don't know if this was necessarily how I wanted

to start my weekend, but it's okay.

I will be changing lots of passwords again.

Yeah.

Yeah.

Um, and uh, thanks to the listeners.

I hope we didn't depress you too much.

And also, uh, well in this case, this goes live Monday morning,

so hope we didn't ruin your week.

Um, that is a wrap.