From Boasting to Breach: The Escalating Risk of Your Online Life

Imagine Johnny, an AI expert, famous for his globetrotting talks, boasting about racking up over a million Delta miles. Unbeknownst to him, in his audience sits Billy, a tech guru with a less-than-ethical focus – stealing travel loyalty points to sell discounted travel. Billy spots Johnny as a potentially "ripe target" for acquiring real points.

Billy's initial challenge is accessing Johnny's Delta account without knowing his email or password. At this stage, the odds of success are astronomically low, estimated at 1 in 100 billion. Billy, however, collects vast amounts of breach data, compiling a list of over a billion known breached credentials. He could try automating password guesses using this list, but Delta's systems would likely stop him before he got anywhere.

The first critical turn occurs when Billy simply approaches Johnny, expressing interest in a consulting gig and asking for his email. Johnny, unsuspecting, provides it. Now, with Johnny's email address, Billy's odds of taking over the account, even by trying random passwords, improve significantly to 1 in 100 million. But Johnny is still relatively safe, right? "Not even close". Billy immediately checks Johnny's email on services like haveibeenpwned and finds it has been in breaches, which is common for addresses used over time. Knowing the email is in a breach instantly improves the odds to 1 in 10 million because a staggering 70% of people reuse passwords.

To zero in, Billy uses tools like MalwareBytes to list the specific breaches Johnny's email was involved in. He then ventures onto the dark web, trading data and scouring bulletin boards to acquire the datasets from those identified breaches. Within a day, Billy compiles a list of username and password combinations linked to Johnny's email from these dark web sources. Using this tailored list to try logging into Delta, the odds of compromise shoot up dramatically to 1 in 100.

The story reaches its inevitable conclusion when Billy discovers that one of the breach datasets was from American Airlines, dating back three years. Crucially, Johnny used the same password for all his airline accounts and never changed it. With Johnny's username (his email) and a known, reused password from a breach, the odds of Billy compromising the account become 100%. Billy successfully takes over Johnny's Delta account.

This tale perfectly illustrates a critical theme: compromises have different types, and the risk associated with each type varies significantly. As Johnny's story shows, the likelihood and severity of compromise escalate dramatically based on the information a bad actor possesses.

• Being compromised randomly by bad actor activity is low risk.

• Being in an old data breach (over 2 years) carries more risk.

• Being in a recent data breach is riskier still.

• Being targeted by a bad actor who knows your email increases risk.

• Even higher risk is when a bad actor knows your email and has found your password in a known compromise list, especially if you reuse passwords.

• Knowing your specific email and password combination represents a very high risk.

• The highest risk described is when a bad actor knows your username, password, and has compromised your email.

For businesses, understanding these different types and their inherent risks is paramount. Crucially, all screening methods for credentials are not equal, and security actions must match the type and risk level. Applying overly strict security measures designed for high-risk situations (like Billy knowing Johnny's reused password) to a low-risk situation (like someone being in an old breach) creates false positives and unnecessary friction for legitimate users.

By tailoring authentication requirements to the risk level, businesses can ensure low-risk users have a smooth experience while applying strong security measures only when truly needed. This balanced approach improves user satisfaction and effectively safeguards sensitive information, preventing your customers from becoming the next Johnny.