WEBVTT

00:00:00.000 --> 00:00:06.080
Having your personal accounts hacked can range from embarrassing to downright panic inducing,

00:00:06.080 --> 00:00:10.480
but imagine how awful it would be to lose data worth billions of dollars.

00:00:11.120 --> 00:00:15.200
This was exactly what happened to the United States Securities and Exchange Commission's

00:00:15.200 --> 00:00:20.000
EDGAR system, which has been called the Fort Knox of America's financial sector.

00:00:20.640 --> 00:00:25.280
EDGAR is basically a big database where companies file their financial statements

00:00:25.280 --> 00:00:27.840
so that the government regulators can then have a look at the books.

00:00:28.560 --> 00:00:34.080
Although EDGAR records are public, submissions aren't made public immediately, meaning that

00:00:34.080 --> 00:00:38.880
if someone got their hands on statements early, they could use that information for insider

00:00:38.880 --> 00:00:45.600
trading on the stock market. And that's exactly what happened in 2016. An international hacker

00:00:45.600 --> 00:00:50.880
network took advantage of EDGAR's vulnerabilities by sending phishing emails to SEC employees,

00:00:50.880 --> 00:00:57.440
and then used information that had not yet been made public to make over 4 million dollars in

00:00:57.440 --> 00:01:03.840
profits off of early trades. But while the hackers were caught and forced to pay restitution,

00:01:03.840 --> 00:01:09.360
the hack exposed some serious issues with the SEC's systems, including a lack of full encryption

00:01:09.360 --> 00:01:14.320
and misconfigured firewalls. Not exactly confidence-inspiring for the massive banks

00:01:14.320 --> 00:01:18.160
and other companies that assumed that the federal government could keep their information safe.

00:01:18.880 --> 00:01:23.680
It was especially embarrassing considering that the SEC took months to discover the hack,

00:01:23.680 --> 00:01:29.120
even after they had been warned for years that their security simply wasn't good enough.

00:01:31.600 --> 00:01:38.000
But while the SEC might be forgiven a little bit for not being super familiar with cybersecurity,

00:01:38.560 --> 00:01:43.920
we can't say the same for LastPass, one of the leading password management services.

00:01:43.920 --> 00:01:48.880
Although the nature of their business makes them a prime target for cyber attacks, LastPass had a

00:01:48.880 --> 00:01:55.200
breach in 2022 that went far beyond anything they had faced before. Hackers broke into a

00:01:55.200 --> 00:02:00.160
LastPass engineer's laptop, which helped them conduct a second attack that then led to the theft

00:02:00.160 --> 00:02:05.520
of encrypted passwords as well, as quite a bit of customer information that for some reason

00:02:06.160 --> 00:02:12.000
LastPass was just storing as plaintext instead of encrypted data. This plaintext data included

00:02:12.000 --> 00:02:17.040
URLs of the websites that customers were storing passwords for, meaning that hackers could decide

00:02:17.040 --> 00:02:22.400
exactly which passwords to crack first, as banking sites would be more valuable to them

00:02:22.400 --> 00:02:28.720
than, say, your password for fancfiction.net. Probably. And somewhat similarly to the SEC,

00:02:28.720 --> 00:02:33.840
LastPass had previously been criticized for not storing all of its information in an encrypted

00:02:33.840 --> 00:02:40.320
format. Even though LastPass stated that properly implemented passwords would take millions of years

00:02:40.320 --> 00:02:46.560
to properly brute force, what made the situation positively silly was that this attack occurred

00:02:46.560 --> 00:02:52.000
through an engineer's home computer, which was targeted because of a vulnerability in Plex of

00:02:52.000 --> 00:02:57.120
all things, which the engineer also had installed. This is why you don't mix business with pleasure.

00:02:58.080 --> 00:03:04.000
But as bad as the LastPass breach was, it still doesn't quite compare to the incident in 2021

00:03:04.000 --> 00:03:12.080
that ended up being the biggest password breach of all time. Rocky 2021 leaked over 8 billion

00:03:12.160 --> 00:03:17.920
different passwords, so well over one password for every human on earth. It didn't appear that

00:03:17.920 --> 00:03:23.200
the passwords were the product of one single attack. Rather, the leak was a huge compilation

00:03:23.200 --> 00:03:28.400
of passwords that were exposed due to multiple earlier breaches. All these passwords were combined

00:03:28.400 --> 00:03:34.960
into a single text file of around 100 gigabytes in size. Although the passwords themselves were

00:03:34.960 --> 00:03:41.280
already floating around in the dark web, having so many in one simple plaintext file would make it

00:03:41.280 --> 00:03:46.560
very easy for attackers to use them for dictionary attacks, where software just automatically goes

00:03:46.560 --> 00:03:52.000
through a list of all the passwords until they find one that hits. This is a great example of why,

00:03:52.000 --> 00:03:56.880
even if you have a lengthy, difficult to guess password, you should be using two-factor authentication

00:03:56.880 --> 00:04:03.680
any time it's offered. And remember that replacing an S with a dollar sign is neither secure nor

00:04:03.680 --> 00:04:07.840
clever. Thanks for watching, guys. Like, dislike, check out some of our other videos,

00:04:07.840 --> 00:04:11.280
comment with video suggestions down below, and don't forget to subscribe and follow.