1
00:00:00,000 --> 00:00:06,080
Having your personal accounts hacked can range from embarrassing to downright panic inducing,

2
00:00:06,080 --> 00:00:10,480
but imagine how awful it would be to lose data worth billions of dollars.

3
00:00:11,120 --> 00:00:15,200
This was exactly what happened to the United States Securities and Exchange Commission's

4
00:00:15,200 --> 00:00:20,000
EDGAR system, which has been called the Fort Knox of America's financial sector.

5
00:00:20,640 --> 00:00:25,280
EDGAR is basically a big database where companies file their financial statements

6
00:00:25,280 --> 00:00:27,840
so that the government regulators can then have a look at the books.

7
00:00:28,560 --> 00:00:34,080
Although EDGAR records are public, submissions aren't made public immediately, meaning that

8
00:00:34,080 --> 00:00:38,880
if someone got their hands on statements early, they could use that information for insider

9
00:00:38,880 --> 00:00:45,600
trading on the stock market. And that's exactly what happened in 2016. An international hacker

10
00:00:45,600 --> 00:00:50,880
network took advantage of EDGAR's vulnerabilities by sending phishing emails to SEC employees,

11
00:00:50,880 --> 00:00:57,440
and then used information that had not yet been made public to make over 4 million dollars in

12
00:00:57,440 --> 00:01:03,840
profits off of early trades. But while the hackers were caught and forced to pay restitution,

13
00:01:03,840 --> 00:01:09,360
the hack exposed some serious issues with the SEC's systems, including a lack of full encryption

14
00:01:09,360 --> 00:01:14,320
and misconfigured firewalls. Not exactly confidence-inspiring for the massive banks

15
00:01:14,320 --> 00:01:18,160
and other companies that assumed that the federal government could keep their information safe.

16
00:01:18,880 --> 00:01:23,680
It was especially embarrassing considering that the SEC took months to discover the hack,

17
00:01:23,680 --> 00:01:29,120
even after they had been warned for years that their security simply wasn't good enough.

18
00:01:31,600 --> 00:01:38,000
But while the SEC might be forgiven a little bit for not being super familiar with cybersecurity,

19
00:01:38,560 --> 00:01:43,920
we can't say the same for LastPass, one of the leading password management services.

20
00:01:43,920 --> 00:01:48,880
Although the nature of their business makes them a prime target for cyber attacks, LastPass had a

21
00:01:48,880 --> 00:01:55,200
breach in 2022 that went far beyond anything they had faced before. Hackers broke into a

22
00:01:55,200 --> 00:02:00,160
LastPass engineer's laptop, which helped them conduct a second attack that then led to the theft

23
00:02:00,160 --> 00:02:05,520
of encrypted passwords as well, as quite a bit of customer information that for some reason

24
00:02:06,160 --> 00:02:12,000
LastPass was just storing as plaintext instead of encrypted data. This plaintext data included

25
00:02:12,000 --> 00:02:17,040
URLs of the websites that customers were storing passwords for, meaning that hackers could decide

26
00:02:17,040 --> 00:02:22,400
exactly which passwords to crack first, as banking sites would be more valuable to them

27
00:02:22,400 --> 00:02:28,720
than, say, your password for fancfiction.net. Probably. And somewhat similarly to the SEC,

28
00:02:28,720 --> 00:02:33,840
LastPass had previously been criticized for not storing all of its information in an encrypted

29
00:02:33,840 --> 00:02:40,320
format. Even though LastPass stated that properly implemented passwords would take millions of years

30
00:02:40,320 --> 00:02:46,560
to properly brute force, what made the situation positively silly was that this attack occurred

31
00:02:46,560 --> 00:02:52,000
through an engineer's home computer, which was targeted because of a vulnerability in Plex of

32
00:02:52,000 --> 00:02:57,120
all things, which the engineer also had installed. This is why you don't mix business with pleasure.

33
00:02:58,080 --> 00:03:04,000
But as bad as the LastPass breach was, it still doesn't quite compare to the incident in 2021

34
00:03:04,000 --> 00:03:12,080
that ended up being the biggest password breach of all time. Rocky 2021 leaked over 8 billion

35
00:03:12,160 --> 00:03:17,920
different passwords, so well over one password for every human on earth. It didn't appear that

36
00:03:17,920 --> 00:03:23,200
the passwords were the product of one single attack. Rather, the leak was a huge compilation

37
00:03:23,200 --> 00:03:28,400
of passwords that were exposed due to multiple earlier breaches. All these passwords were combined

38
00:03:28,400 --> 00:03:34,960
into a single text file of around 100 gigabytes in size. Although the passwords themselves were

39
00:03:34,960 --> 00:03:41,280
already floating around in the dark web, having so many in one simple plaintext file would make it

40
00:03:41,280 --> 00:03:46,560
very easy for attackers to use them for dictionary attacks, where software just automatically goes

41
00:03:46,560 --> 00:03:52,000
through a list of all the passwords until they find one that hits. This is a great example of why,

42
00:03:52,000 --> 00:03:56,880
even if you have a lengthy, difficult to guess password, you should be using two-factor authentication

43
00:03:56,880 --> 00:04:03,680
any time it's offered. And remember that replacing an S with a dollar sign is neither secure nor

44
00:04:03,680 --> 00:04:07,840
clever. Thanks for watching, guys. Like, dislike, check out some of our other videos,

45
00:04:07,840 --> 00:04:11,280
comment with video suggestions down below, and don't forget to subscribe and follow.