The JPMorgan Chase & Co breach is being called the worst known compromise in history, affecting approximately 76 million households and 7 million small businesses -- and worsening with new information.
Challenging Chase's assurances that limited customer information was obtained, forensics firm Night Lion Security told ZDNet that a significant number of customers are at larger risk of password compromise due to the information in databases obtained by the attackers.
Night Lion's founder Vinny Troia told ZDNet, "if you have email addresses and you know which of JPMorgan’s services those email addresses are associated with (checking account, mortgage, credit card, etc), you can do a simple lookup against your database of five billion stolen username/password combos."
Update October 3, 5:15pm PST: According to Trish Wexler, spokesperson for JPMorgan Chase, they say Mr. Troia's example is too simplistic. The spokesperson refuted Troia, saying that Chase does not allow an email address to be used as a username. Further, she elaborated that if a customer tries to log in from a new device, the system requires another level of authentication.
But, JPMorgan said to ZDNet, consumers should consider it a good idea to use a different password for banking to further reduce risk. This sends a curious message in light of the fact that JPMorgan Chase is currently telling customers they don't need to change their passwords -- something that flies in the face of conventional wisdom for consumer protection in any data breach.
This is fine, Troia said, as long as customers haven't used their email handle as their username. Those that have will be in the danger zone, because it's not difficult to write a script to cross-check and pull those accounts out for further exploitation.
Clearly, Chase's assurances are for some, not all customers. The company -- one of the largest banks in the US -- has said there's no evidence that account numbers, passwords, user IDs, Social Security numbers or birth dates were exposed; in addition, JPMorgan has not seen any "unusual customer fraud related to this incident."
Troia said that customers are only as safe as JPMorgan Chase says -- if customers haven't reused their passwords across Chase services, or if they have two-factor authorization turned on.
However, most people reuse passwords and few have two-factor turned on -- because both extra steps make it less easy for customers to use the service.
Troia said to ZDNet, "If people were more diligent about not reusing passwords, or setting up 2FA (which Chase DOES offer), then this wouldn’t really be much of an issue." He noted,
Unfortunately, the reality is that there will be more than a few people that have their password in that database and also use their same password to access their chase account.
Further, Troia explained to ZDNet, "The database of stolen passwords is common knowledge as well. So think about it from the perspective of a thief." He continued:
If you steal everyone's passwords then the company will force everyone to change them and it becomes completely worthless.
So instead, you take the other pieces of information; the two most important being the email address and associated service. Now the thieves can just pair the email address against their 1.2 billion email/password database, and there will be more than a few matches.
And a good number of those people will have recycled passwords because that's just what people do. So the theft of 76 million JPMorgan accounts is actually worth infinitely more without the passwords.
According the Guardian, "The attack was under way for a month before it was discovered in July." When disclosed in August, it was estimated that one million accounts had been compromised.
A SEC filing revealed Thursday that in fact the personal information of 83 million accounts were exposed when JP Morgan Chase's computer systems were hacked into. The exposed database, Chase says, consists of customer names, addresses, phone numbers and e-mail addresses.
It's being widely reported that the entry point was through a compromised app used by the company, but details are not being reported sensibly, so it remains to be seen at this time what the facts around the breach actually are.
Reuters reports, "The people affected are mostly account holders, but may also include former account holders and others who entered their contact information at the bank's online and mobile sites, according to a bank spokeswoman."
Bizarrely, JPMorgan is telling on its website that it doesn't think they need to change their passwords or account information.
Company spokeswoman Patricia Wexler told Reuters that "the bank is not offering credit monitoring to its customers because no financial information, account data or personally identifiable information was compromised."
As news of the breach travels, security consultants seem to be disagreeing with JPMorgan.