NVIDIA Breach Illustrates the Importance of Securing Employee Passwords

NVIDIA Breach Illustrates the Importance of Securing Employee Passwords

The NVIDIA security breach resulted in tens of thousands of employee login credentials being leaked online. Threat actors also made off with mass quantities of highly confidential business information, including code signing certificates and what appears to be source code for the company’s Deep Learning Super Sampling (DLSS) technology.

Common Methods for Stealing Employee Credentials

Verizon estimates that over 80% of successful data breaches involve compromised login credentials. How do threat actors get hold of these credentials to begin with? Here are some common methods:

Brute-force attacks

“Brute-force” is an umbrella term for automated password-related attacks, including credential stuffing and password spraying. In a brute-force attack, cybercriminals purchase a list of previously compromised passwords on the DarkNet, or alternatively, they download a free list of common passwords, like qwerty and password123. Then, they use bots to try these passwords on as many sites as possible. Brute-force attacks leverage the fact that many people reuse passwords across multiple accounts.

Targeted/surgical attacks

In a targeted or surgical attack, cybercriminals select specific individuals at an organization to target, then search social media networks for information about potential victims, such as their birthdays, favorite vacation spots, hobbies, and names of their children, spouses, or even pets. Then, they use this information to try to crack each target’s password. This type of attack takes advantage of the fact that many people use passwords containing personal information, such as their children’s birthdates or their spouse’s name, which is easily available on social media.

Phishing/social engineering

Phishing involves a cybercriminal stealing credentials directly from a victim, often by sending them an email or text message with a malicious link that either directs the victim to a phishing site, where they’re prompted to enter their login credentials, or downloads keystroke-logging malware onto the victim’s device, often without the victim noticing.

SIM Swapping

SIM swapping, also known as SIM hijacking, SIM jacking, or SIM splitting, a new type of account takeover (ATO) attack that is rapidly increasing in frequency. In this type of attack, a threat actor gets a victim’s mobile phone number transferred to a new SIM card. The threat actor then inserts it in a new device and takes over all of the victim’s online accounts and apps.

Prevent your company from becoming a victim of these cyberattacks with Keeper.

Start Free Trial

Preventing Password-Related Cyberattacks

The NVIDIA breach illustrates how just one stolen password can bring down tens of thousands, even millions of dollars worth of cybersecurity defenses. Password-related cyberattacks are going to keep happening, to companies of all sizes, because cybercriminals know that too many organizations lack comprehensive password security controls.

To prevent this from happening to your organization, take these defensive steps:

  • Don’t allow employees to make up their own passwords. Require them to use strong, unique passwords for every online account and application.
  • Require employees to enable multi-factor authentication (2FA) wherever it’s supported. This way, even if a cybercriminal steals the employee’s password, it’s useless without the second authentication factor.
  • That said, to prevent a SIM swapping attack, avoid using phone and SMS-based 2FA. Use a TOTP code or a hardware-based FIDO2 key.
  • Enforce these policies, and make them easier for employees to follow, by deploying an enterprise-grade password security platform like Keeper.
  • Implement a zero-trust network access architecture to include role-based access control (RBAC) with least-privilege access and privileged access management (PAM).

Keeper’s zero-knowledge password management and security platform gives IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies across the entire organization, including password complexity requirements, 2FA, RBAC, and other security policies.

Not a Keeper customer yet? Sign up for a 14-day free trial now! Want to find out more about how Keeper can help your organization prevent security breaches? Reach out to our team today.