For Spotify CEO Daniel Ek, the goal for the rest of 2016 should be simple: don’t rock the boat. The Swedish music streaming service, which is widely expected to go public late next year, is already locked in enough significant conflicts to occupy most of Ek’s waking hours.
Apple, besides choking off Spotify updates via the App Store, increasingly poses a competitive threat with its well-funded Music division. Record megalabels, reluctant to conclude long-term agreements with Spotify for access to their catalogues, nevertheless command over half of the company’s revenues via royalty payments - the major contributor to Spotify’s continual operating loss. Recording artists, dissatisfied with their cut of the proceeds, face possible retaliation if they make it publicly known - a nasty public profile for a company to cut against musicians with rabidly loyal fan bases. Even as Spotify continues to attract paying subscribers - the count as of August hovered around thirty-nine million such users - a cloud of uncertainty hovers around the question of the corporation’s long-term viability. No use adding to these public relations woes - which was why reports of a possible data breach proved, surprisingly, to be a refreshing bit of news for Spotify.
On August 31st, users reported receiving email notifications that their passwords had been forcibly reset. While in the past, Spotify has been accused of failing to guard against the theft of user information, the email made it clear that this was a proactive measure: “We believe [your password] may have been compromised during a leak on another service with which you use the same password. Don’t worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure.”
With no indication (thus far) of such a breach of Spotify information, this is good news for online consumers everywhere, and a shrewd precaution that other internet companies should emulate. With the revelations this year that websites like Dropbox, LinkedIn, and MySpace have suffered massive losses of login information at the hands of hackers, it pays more than ever to err on the side of caution: so long as it remains common practice for most internet users to reuse passwords across multiple websites, it will remain possible for thieves to steal a user’s password from one site, then use it to unlock their accounts on dozens more. With the expansion of online firms to service almost any need, from banking to apartment hunting to beef jerky, an unprecedented amount of our personal information resides online - for most of us, atop the flimsy reed of an email address and a favorite password.
It’s not difficult to see how password reuse attacks might constitute one of the most formidable cybersecurity threats facing the online marketplace today. Consider this figure, from Tom Spring at ThreatPost: “The average number of accounts registered to one email account for 25-34-year-olds is more than 40, according credit-checking firm Experian...on average, users had only five different passwords for those accounts.” That Bank of America account? That Hulu password? Your Instagram login information? Have you individually created and memorized random character string passwords for each - or, more likely, entered your pet dog’s name for each, grumbling about onerous password requirements like the use of at least one number? Perhaps you do employ a bit of discretion, employing a cloud manager to keep track of your alphabet soup of passwords. That’s better - unless your password manager should be breached, as happened to the popular LastPass in 2015.
A Chain Reaction
Don’t beat yourself up too much for recycling your login information - it’s human, it’s understandable, and no less a tech wunderkind than Mark Zuckerberg has fallen prey to its consequences. But the results of a password reuse attack can be devastating - a chain reaction of concatenating breaches, with each exposing more and more users to widening data theft.
Consider the circuitous way in which Zuckerberg’s Pinterest account was reportedly hacked. In 2012, a massive breach of LinkedIn data resulted in 117 million accounts being compromised, with millions of usernames and passwords posted online. As Techcrunch reported, “because the passwords were stored as unsalted SHA-1 hashes, hundreds of thousands were quickly cracked,” with no clear indication how many more might be entirely exposed. Security expert Jeremi Gosney deemed it “the largest and most relevant publicly acknowledged password breach in Internet history,” estimating that “if you had a LinkedIn account in 2012, there's a 98 percent chance your password has been cracked.” Among those LinkedIn users victimized, taunted his hackers, was Mark Zuckerberg, who had evidently reused his LinkedIn password when registering for Pinterest.
LinkedIn handled the breach remarkably poorly, failing to level with consumers on the full breadth of the threat until it was exposed by a hacker attempting to sell the data online this summer - four years after the initial theft. Given the prevalence of password reuse, it wasn’t merely LinkedIn that was compromised by the hack; by failing to effectively encrypt the stolen passwords, the firm bequeathed “a massive insecurity legacy by providing hackers with huge amounts of real-world password data to improve their password-cracking abilities.”
This was no mere theory. Among the millions of LinkedIn passwords stolen in the 2012 incident was that of an unnamed Dropbox employee who had reused the same email and password combination for his work account. Using these credentials, hackers accessed the employee’s Dropbox account - and within it, a file containing the credentials for a further 60 million Dropbox accounts. While these passwords were fortunately hashed and salted, stymying a similarly devastating exposure of credentials, Dropbox also wisely undertook a forced password reset for affected accounts this August when the data set reemerged on the dark web.
Why Password Encryption Matters
The online criminal economy features a burgeoning black market for stolen data, in which identity thieves and scammers are eager customers. If this underworld has a major weakness, it is its reliance on access to lightly or unencrypted passwords as the chink in the armor through which they can gain access to more data. Due to effective password encryption, it seems the fallout for Dropbox users was limited - as Motherboard reports, “the Dropbox dump does not appear to be listed on any of the major dark web marketplaces where such data is often sold...the value of data dumps typically diminishes when passwords have been adequately secured.” Likewise, Tumblr, despite losing the credentials of 65 million accounts to a 2013 data breach, could at least take comfort in having thoroughly hashed and salted the passwords - rendering the data set into little more than a long list of emails, sold for a measly $150 on a dark net site. If there is a takeaway here, it is that sturdy password encryption can have a remarkably outsized impact on the ability of hackers to exploit data breaches.
What then can Joe Average do to safeguard their online activity? Unfortunately, the proliferation of unique account registrations across your dozen favorite websites is not going away any time soon. When available, two-factor authentication, of the sort Twitter offers, can protect your credentials behind an extra layer of security - necessitating access to your phone, for example, in order to login. Using randomized, complex, multivaried passwords for each account may not be convenient, but certainly makes the job harder for the bad guys. Regularly updating your passwords is also crucial - if you hadn’t changed your LinkedIn password since 2012, for example, your credentials may have been exposed years later. Judicious use of a password manager can help you keep track of it all - and while cloud-based programs can be compromised, the addition of a thumb drive as a second-factor authenticator can make it extremely difficult for your master password to be cracked. As always, it pays to be proactive. Reports that 200 million Yahoo accounts had been compromised in a data breach were not confirmed by the company, which also did not issue preemptive password changes. When in doubt, why not take the initiative and update your password yourself?
Transparency as a Public Good
While corporations can only do so much to encourage password hygiene among their users, they owe it to their customers to ensure they are as creative and proactive as possible in combating data theft. In each of these “megathefts,” internet firms were typically opaque in sharing details with the public - failing to reveal how many user accounts had been compromised, how well their IT professionals had encrypted stolen passwords, or what credentials hackers had acquired. Transparency on how companies protect information is a practical good for the public, especially as hacks continue to have repercussions years after the crime.
Spotify provides a good example of how an intelligent company might seek to safeguard its user information. As Gizmodo’s William Turton writes, “By analyzing publicly available password dumps against their own user database, Spotify can reset the password of users found in the dump, thus making them safe from a hackers who might exploit people’s password reuse.” It’s smart, it’s practical, and it is a policy that could have far-reaching effects in slowing the spread of data breaches, restraining hackers from leapfrogging across the internet and acquiring the keys to the kingdom.