Skip to main content

Password Managers Compromised, AI and Social Engineering & More: January 2023 Newsletter

January 23, 2023

LastPass, NortonLifelock Services Compromised

LastPass, one of the largest commercial password-manager services, announced a data breach incident in late 2022, acknowledging that the exposed data included backups of customer vault information, which includes usernames/passwords and automated form data. Users’ master passwords, which decrypt the vault data, are still retained by end users, but if those fail to adhere to high security-quality standards, may be susceptible to brute-force hacks. In the case of NortonLifelock, it appears that a breach was not the cause, instead, it was an account compromise via an unauthorized third party.

Our Take

These events are consequential because almost every organization will have at least some employees who utilize 3rd party password-managers to handle corporate credentials, and account compromises of this scale can eventually expose many companies to potential infiltration and data loss. Businesses should take this opportunity to require employees to change current key-account access credentials, as well as audit practices in password-manager use to identify potential areas of future risk exposure.

Language-Model AI and Social Engineering; a Cautionary Tale

Researchers at security firm WithSecure put out a report in early January illustrating how the GPT-3 natural language generation model can be used to make phishing or business email compromise attacks harder to detect and easier to pull off.

Current business security methods of identifying social engineering attacks rely on the detection of identically repeated specific text prompts and/or patterns of speech. Natural language models can avoid existing detection methods by generating unlimited unique variants of the same basic type of communication, or can break solicitations/lures into a dynamic sequence of emails that actively respond.  

Automatic detection of AI text prompts will prove problematic because similar tools are increasingly already being used in direct marketing and other more-benign communications practices.

Our Take

Our predictions for 2023 included ‘growing use of AI in social engineering’ as a strong likelihood. We believe that just as all industries will look to adopt AI tools (like ChatGPT) to help improve their business processes, the same will be true of cybercriminals.

States are Readying a Flurry of Privacy Bills as Washington Stalls

In the first few weeks of January:

Our Take

With state data-privacy laws like California and Virginia’s now coming into effect in 2023, other states are increasingly more likely to enact me-too laws. Many proposals were stalled in 2022 (possibly because of priorities on mid-term re-election concerns) but may face lower barriers in the coming year.  Moves towards new biometric data and health records regulations in particular may move faster.

Webinar: Personal Data’s Role in Enterprise Social Engineering Attacks

Last chance to register for our webinar this week (1/25!) with Rachel Tobac, Ethical Hacker and CEO of Social Proof Consulting, and our very own Rob Shavell, CEO of DeleteMe!

During the webinar, Rachel and Rob will cover:

  • Why individuals are losing control of their digital identities and how that’s driving business risk
  • The latest techniques hackers are employing for highly targeted phishing and other social engineering attacks (without using any code)
  • How new AI-based technology like facial recognition and voice cloning will open up new pathways for bad actors
  • What combination of strategies will keep executives and employees safe to mitigate risk for both the individual and the business

DeleteMe in the News

Check out our running log of DeleteMe in the news in 2023.

DeleteMe was created in 2010 when we realized the difficulty of navigating privacy issues in today’s interconnected and digital world. Our mission is to provide everyone with the power to control their digital identity.

How does DeleteMe privacy protection work?

  1. Employees, Executives, and Board Members complete a quick signup 
  2. DeleteMe scans for exposed personal information
  3. Opt-out and removal requests begin
  4. Initial privacy report shared and ongoing reporting initiated
  5. DeleteMe provides continuous privacy protection and service all year

    Your employees’ personal data is on the web for the taking.

    DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.

    Related Posts

    10 Ways to Reboot Your Privacy at Work

    When personal data is out there on the open web it can lead to privacy and security incidents at…

    Our 2022 Cybersecurity Excellence Award Speech: How We Started, Where We’re Going

    We are excited to announce that DeleteMe was recognized (twice!) with 2022 Cybersecurity Ex…

    The Time is Now to Limit Russian Hacker Access to Publicly Available PII

    Although the launch of ContiLeaks and the information revealed there didn’t slow the Russian Hac…