Companies obscuring breach risks with assurances of secured financial data

Hackers are slipping off with what they really came for — record numbers of password hashes and email addresses.

"No financial information was accessed."

Another hack, another vendor placating victims with this simple phrase that ignores the fact that hackers are actually stealing the data they want — password hashes and email addresses.

In reality, the credit card is passé. Protected by a liability structure that, at most, leaves the victim with a $50 hole in their life. The financial industry long ago figured out how to minimize this threat. Hackers know it as a short-term gain.

But the market for personal data has no such liability nets. And the benefits of matching user accounts with re-used passwords can be a long-term fountain of gain as attacks take on many layers and play out over a number of years.

The release today of Verizon's annual data breach survey shows that 76 perent of network intrusions exploited weak or stolen credentials.

The latest use of the "financial information" phrase comes from Wargaming, which operates the online game World of Tanks. The company says that it suffered a "security incident" and even went as far as offering 300 units of game credits to motivate users to change their passwords (thus proving that passwords have value).

"Some password hashes and email addresses may have been affected by the compromise," the company said. But the real danger lies in the next warning that urges users to change their passwords. "If you have been using your old Wargaming ID password on other sites, we strongly recommend that you change those passwords, too."

This is becoming the familiar wording that end-users should heed. Personal information is a stepping-stone to other attacks — typically, on more lucrative sites such as banks or corporate networks.

Last year, Best Buy confirmed that hackers were attacking its online retail site using credentials stolen from other sites. In other words, hackers were re-using passwords, just like their victims were.

A September 2012 survey by fraud detection vendor CSID showed that 61 percent of respondents were re-using passwords across multiple sites.

And hackers who steal those passwords are sharing them. There are numerous online forums dedicated to sharing breached personal information, or for seeking assistance in cracking hashed passwords.

Today's graphics cards have given hackers the power to try billions of combinations per second when cracking passwords. From the results, hackers also build dictionaries that speed future password cracking efforts and help conserve resources for the really tough password hashes.

The bottom line is that your financial data , ie, your credit card, leads down only one path. A path that already has other safeguards in place.

Cracked passwords undermine security on a number of paths that can lead to more lucrative destinations that you or your employer wants to protect.