In the wake of the recent Plex data breach, I've seen fellow cybersecurity and tech industry folks giving the usual good advice: Change your passwords, check Have I Been Pwned, use a password manager, and enable MFA. But here's the thing about that last bit: What if you had MFA enabled BEFORE the breach?
It's surprising as all hell to me that we as security professionals seem to completely gloss over that last bit every time there's a breach. With that said, it's something I've been paying attention to a lot more recently whenever a service or platform I use ends up being compromised. Whenever a breach happens, I always take the extra step to disable and re-enable MFA for the affected account. Why? Simple. MFA uses shared secrets. Those secrets, like any other piece of static information, can be stolen.
Having said that, another question I have to ask myself as someone who also develops software that other folks will eventually have to interact with, perhaps the onus should be on developers and software architects to design their authentication and security workflows in such a way that passwords and shared secrets are automatically invalidated once a breach has been discovered. Food for thought, I suppose.
In the meantime, here is my personal advice, both for anyone who's fallen prey to this, or any other data breach but also just as general security hygiene.
General Security Hygiene
- If you aren't already (and you damn well should be), use a Password Manager. My personal favourite is 1Password, but Dashlane and Bitwarden are both great as well. Avoid LastPass, however; their track record for security incidents is not great.
- Use MFA wherever possible, strongly prefer comparable services which employ it over those that do not.
- With regards to MFA, prefer comparable services which employ TOTP tokens, physical tokens (such as Yubikey) or mobile app push notifications over SMS messages, which are not as secure.
- If a site is asking for credentials or PII, and they aren't doing something as basic as employing HTTPS, walk away. It's 2022, Let's Encrypt is a thing that's been around long enough now to be accepted by the world at large. There is no excuse anymore for insecure websites.
What To Do After a Breach Occurs
The top three things you SHOULD be doing after a breach occurs are as follows:
- Change your password. This should be obvious.
- Invalidate your MFA token by disabling and re-enabling MFA in the settings for the affected account.
- If you have any payment card information stored in the affected account, cancel or freeze those cards.
Additionally, you may want to also do the following:
- If you use any sort of third-party payment processor with the affected account, such as PayPal, ensure those credentials are changed as well.
- If the affected account is also acting as an authentication source for OTHER services (i.e. "Sign in using Google, Apple, Facebook, et al"), disconnect those services from the affected account.