LastPass, one of the largest commercial password-manager services, announced a data breach incident in late 2022, acknowledging that the exposed data included backups of customer vault information, which includes usernames/passwords and automated form data. Users’ master passwords, which decrypt the vault data, are still retained by end users, but if those fail to adhere to high security-quality standards, may be susceptible to brute-force hacks. In the case of NortonLifelock, it appears that a breach was not the cause, instead, it was an account compromise via an unauthorized third party.
These events are consequential because almost every organization will have at least some employees who utilize 3rd party password-managers to handle corporate credentials, and account compromises of this scale can eventually expose many companies to potential infiltration and data loss. Businesses should take this opportunity to require employees to change current key-account access credentials, as well as audit practices in password-manager use to identify potential areas of future risk exposure.
Researchers at security firm WithSecure put out a report in early January illustrating how the GPT-3 natural language generation model can be used to make phishing or business email compromise attacks harder to detect and easier to pull off.
Current business security methods of identifying social engineering attacks rely on the detection of identically repeated specific text prompts and/or patterns of speech. Natural language models can avoid existing detection methods by generating unlimited unique variants of the same basic type of communication, or can break solicitations/lures into a dynamic sequence of emails that actively respond.
Automatic detection of AI text prompts will prove problematic because similar tools are increasingly already being used in direct marketing and other more-benign communications practices.
Our predictions for 2023 included ‘growing use of AI in social engineering’ as a strong likelihood. We believe that just as all industries will look to adopt AI tools (like ChatGPT) to help improve their business processes, the same will be true of cybercriminals.
In the first few weeks of January:
- Kentucky, New York, Tennessee, Oregon, and Indiana each submitted (or re-submitted) comprehensive data privacy proposals
- Connecticut, Oregon, West Virginia, Virginia, and New Jersey have submitted children’s privacy laws
- New York, Mississippi, Washington and Maryland each introduced separate Biometric or health-records privacy acts
- Virginia proposed a range of amendments to VDCPA including new oversight of genetic and personal health records
With state data-privacy laws like California and Virginia’s now coming into effect in 2023, other states are increasingly more likely to enact me-too laws. Many proposals were stalled in 2022 (possibly because of priorities on mid-term re-election concerns) but may face lower barriers in the coming year. Moves towards new biometric data and health records regulations in particular may move faster.
Last chance to register for our webinar this week (1/25!) with Rachel Tobac, Ethical Hacker and CEO of Social Proof Consulting, and our very own Rob Shavell, CEO of DeleteMe!
During the webinar, Rachel and Rob will cover:
- Why individuals are losing control of their digital identities and how that’s driving business risk
- The latest techniques hackers are employing for highly targeted phishing and other social engineering attacks (without using any code)
- How new AI-based technology like facial recognition and voice cloning will open up new pathways for bad actors
- What combination of strategies will keep executives and employees safe to mitigate risk for both the individual and the business
DeleteMe in the News
Check out our running log of DeleteMe in the news in 2023.