{"video_id":"uLflDeGbuzE","title":"Your Password Is Probably Leaked","channel":"Techquickie","show":"Techquickie","published_at":"2023-05-05T14:58:16Z","duration_s":296,"segments":[{"start_s":0.0,"end_s":6.08,"text":"Having your personal accounts hacked can range from embarrassing to downright panic inducing,","speaker":null,"is_sponsor":0},{"start_s":6.08,"end_s":10.48,"text":"but imagine how awful it would be to lose data worth billions of dollars.","speaker":null,"is_sponsor":0},{"start_s":11.12,"end_s":15.2,"text":"This was exactly what happened to the United States Securities and Exchange Commission's","speaker":null,"is_sponsor":0},{"start_s":15.2,"end_s":20.0,"text":"EDGAR system, which has been called the Fort Knox of America's financial sector.","speaker":null,"is_sponsor":0},{"start_s":20.64,"end_s":25.28,"text":"EDGAR is basically a big database where companies file their financial statements","speaker":null,"is_sponsor":0},{"start_s":25.28,"end_s":27.84,"text":"so that the government regulators can then have a look at the books.","speaker":null,"is_sponsor":0},{"start_s":28.56,"end_s":34.08,"text":"Although EDGAR records are public, submissions aren't made public immediately, meaning that","speaker":null,"is_sponsor":0},{"start_s":34.08,"end_s":38.88,"text":"if someone got their hands on statements early, they could use that information for insider","speaker":null,"is_sponsor":0},{"start_s":38.88,"end_s":45.6,"text":"trading on the stock market. And that's exactly what happened in 2016. An international hacker","speaker":null,"is_sponsor":0},{"start_s":45.6,"end_s":50.88,"text":"network took advantage of EDGAR's vulnerabilities by sending phishing emails to SEC employees,","speaker":null,"is_sponsor":0},{"start_s":50.88,"end_s":57.44,"text":"and then used information that had not yet been made public to make over 4 million dollars in","speaker":null,"is_sponsor":0},{"start_s":57.44,"end_s":63.84,"text":"profits off of early trades. But while the hackers were caught and forced to pay restitution,","speaker":null,"is_sponsor":0},{"start_s":63.84,"end_s":69.36,"text":"the hack exposed some serious issues with the SEC's systems, including a lack of full encryption","speaker":null,"is_sponsor":0},{"start_s":69.36,"end_s":74.32,"text":"and misconfigured firewalls. Not exactly confidence-inspiring for the massive banks","speaker":null,"is_sponsor":0},{"start_s":74.32,"end_s":78.16,"text":"and other companies that assumed that the federal government could keep their information safe.","speaker":null,"is_sponsor":0},{"start_s":78.88,"end_s":83.68,"text":"It was especially embarrassing considering that the SEC took months to discover the hack,","speaker":null,"is_sponsor":0},{"start_s":83.68,"end_s":89.12,"text":"even after they had been warned for years that their security simply wasn't good enough.","speaker":null,"is_sponsor":0},{"start_s":91.6,"end_s":98.0,"text":"But while the SEC might be forgiven a little bit for not being super familiar with cybersecurity,","speaker":null,"is_sponsor":0},{"start_s":98.56,"end_s":103.92,"text":"we can't say the same for LastPass, one of the leading password management services.","speaker":null,"is_sponsor":0},{"start_s":103.92,"end_s":108.88,"text":"Although the nature of their business makes them a prime target for cyber attacks, LastPass had a","speaker":null,"is_sponsor":0},{"start_s":108.88,"end_s":115.2,"text":"breach in 2022 that went far beyond anything they had faced before. Hackers broke into a","speaker":null,"is_sponsor":0},{"start_s":115.2,"end_s":120.16,"text":"LastPass engineer's laptop, which helped them conduct a second attack that then led to the theft","speaker":null,"is_sponsor":0},{"start_s":120.16,"end_s":125.52,"text":"of encrypted passwords as well, as quite a bit of customer information that for some reason","speaker":null,"is_sponsor":0},{"start_s":126.16,"end_s":132.0,"text":"LastPass was just storing as plaintext instead of encrypted data. This plaintext data included","speaker":null,"is_sponsor":0},{"start_s":132.0,"end_s":137.04,"text":"URLs of the websites that customers were storing passwords for, meaning that hackers could decide","speaker":null,"is_sponsor":0},{"start_s":137.04,"end_s":142.4,"text":"exactly which passwords to crack first, as banking sites would be more valuable to them","speaker":null,"is_sponsor":0},{"start_s":142.4,"end_s":148.72,"text":"than, say, your password for fancfiction.net. Probably. And somewhat similarly to the SEC,","speaker":null,"is_sponsor":0},{"start_s":148.72,"end_s":153.84,"text":"LastPass had previously been criticized for not storing all of its information in an encrypted","speaker":null,"is_sponsor":0},{"start_s":153.84,"end_s":160.32,"text":"format. Even though LastPass stated that properly implemented passwords would take millions of years","speaker":null,"is_sponsor":0},{"start_s":160.32,"end_s":166.56,"text":"to properly brute force, what made the situation positively silly was that this attack occurred","speaker":null,"is_sponsor":0},{"start_s":166.56,"end_s":172.0,"text":"through an engineer's home computer, which was targeted because of a vulnerability in Plex of","speaker":null,"is_sponsor":0},{"start_s":172.0,"end_s":177.12,"text":"all things, which the engineer also had installed. This is why you don't mix business with pleasure.","speaker":null,"is_sponsor":0},{"start_s":178.08,"end_s":184.0,"text":"But as bad as the LastPass breach was, it still doesn't quite compare to the incident in 2021","speaker":null,"is_sponsor":0},{"start_s":184.0,"end_s":192.08,"text":"that ended up being the biggest password breach of all time. Rocky 2021 leaked over 8 billion","speaker":null,"is_sponsor":0},{"start_s":192.16,"end_s":197.92,"text":"different passwords, so well over one password for every human on earth. It didn't appear that","speaker":null,"is_sponsor":0},{"start_s":197.92,"end_s":203.2,"text":"the passwords were the product of one single attack. Rather, the leak was a huge compilation","speaker":null,"is_sponsor":0},{"start_s":203.2,"end_s":208.4,"text":"of passwords that were exposed due to multiple earlier breaches. All these passwords were combined","speaker":null,"is_sponsor":0},{"start_s":208.4,"end_s":214.96,"text":"into a single text file of around 100 gigabytes in size. Although the passwords themselves were","speaker":null,"is_sponsor":0},{"start_s":214.96,"end_s":221.28,"text":"already floating around in the dark web, having so many in one simple plaintext file would make it","speaker":null,"is_sponsor":0},{"start_s":221.28,"end_s":226.56,"text":"very easy for attackers to use them for dictionary attacks, where software just automatically goes","speaker":null,"is_sponsor":0},{"start_s":226.56,"end_s":232.0,"text":"through a list of all the passwords until they find one that hits. This is a great example of why,","speaker":null,"is_sponsor":0},{"start_s":232.0,"end_s":236.88,"text":"even if you have a lengthy, difficult to guess password, you should be using two-factor authentication","speaker":null,"is_sponsor":0},{"start_s":236.88,"end_s":243.68,"text":"any time it's offered. And remember that replacing an S with a dollar sign is neither secure nor","speaker":null,"is_sponsor":0},{"start_s":243.68,"end_s":247.84,"text":"clever. Thanks for watching, guys. Like, dislike, check out some of our other videos,","speaker":null,"is_sponsor":0},{"start_s":247.84,"end_s":251.28,"text":"comment with video suggestions down below, and don't forget to subscribe and follow.","speaker":null,"is_sponsor":0}],"full_text":"Having your personal accounts hacked can range from embarrassing to downright panic inducing, but imagine how awful it would be to lose data worth billions of dollars. This was exactly what happened to the United States Securities and Exchange Commission's EDGAR system, which has been called the Fort Knox of America's financial sector. EDGAR is basically a big database where companies file their financial statements so that the government regulators can then have a look at the books. Although EDGAR records are public, submissions aren't made public immediately, meaning that if someone got their hands on statements early, they could use that information for insider trading on the stock market. And that's exactly what happened in 2016. An international hacker network took advantage of EDGAR's vulnerabilities by sending phishing emails to SEC employees, and then used information that had not yet been made public to make over 4 million dollars in profits off of early trades. But while the hackers were caught and forced to pay restitution, the hack exposed some serious issues with the SEC's systems, including a lack of full encryption and misconfigured firewalls. Not exactly confidence-inspiring for the massive banks and other companies that assumed that the federal government could keep their information safe. It was especially embarrassing considering that the SEC took months to discover the hack, even after they had been warned for years that their security simply wasn't good enough. But while the SEC might be forgiven a little bit for not being super familiar with cybersecurity, we can't say the same for LastPass, one of the leading password management services. Although the nature of their business makes them a prime target for cyber attacks, LastPass had a breach in 2022 that went far beyond anything they had faced before. Hackers broke into a LastPass engineer's laptop, which helped them conduct a second attack that then led to the theft of encrypted passwords as well, as quite a bit of customer information that for some reason LastPass was just storing as plaintext instead of encrypted data. This plaintext data included URLs of the websites that customers were storing passwords for, meaning that hackers could decide exactly which passwords to crack first, as banking sites would be more valuable to them than, say, your password for fancfiction.net. Probably. And somewhat similarly to the SEC, LastPass had previously been criticized for not storing all of its information in an encrypted format. Even though LastPass stated that properly implemented passwords would take millions of years to properly brute force, what made the situation positively silly was that this attack occurred through an engineer's home computer, which was targeted because of a vulnerability in Plex of all things, which the engineer also had installed. This is why you don't mix business with pleasure. But as bad as the LastPass breach was, it still doesn't quite compare to the incident in 2021 that ended up being the biggest password breach of all time. Rocky 2021 leaked over 8 billion different passwords, so well over one password for every human on earth. It didn't appear that the passwords were the product of one single attack. Rather, the leak was a huge compilation of passwords that were exposed due to multiple earlier breaches. All these passwords were combined into a single text file of around 100 gigabytes in size. Although the passwords themselves were already floating around in the dark web, having so many in one simple plaintext file would make it very easy for attackers to use them for dictionary attacks, where software just automatically goes through a list of all the passwords until they find one that hits. This is a great example of why, even if you have a lengthy, difficult to guess password, you should be using two-factor authentication any time it's offered. And remember that replacing an S with a dollar sign is neither secure nor clever. Thanks for watching, guys. Like, dislike, check out some of our other videos, comment with video suggestions down below, and don't forget to subscribe and follow."}