TR-88 - Motivation, procedure and rational for leaked credential notifications

TR-88 - Motivation, procedure and rational for leaked credential notifications

Back to Publications and Presentations

  1. Motivation, Procedure, and Rationale for Leaked Credential Notifications
  2. References
  3. Classification of this document
  4. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Motivation, Procedure, and Rationale for Leaked Credential Notifications

Summary

In today’s digital landscape, protecting user data is essential for every organization. When public data leaks expose customer credentials, it is critical to respond promptly to mitigate risks. This document outlines why CIRCL sends notifications about such leaks and explains the procedure we expect organizations to follow. The goal is to safeguard both the organization’s infrastructure and its customers, while ensuring compliance with legal requirements and maintaining trust.

Motivation

We believe it is both necessary and beneficial for any organization to be informed about public data leaks involving their customers. The main objectives are:

  • To protect the organization’s sensitive information and assets.
  • To help safeguard the customer’s personal data and prevent further misuse.

Procedure

When CIRCL receives information about leaked credentials affecting user accounts for services in Luxembourg, we are committed to promptly informing the impacted service owners. Typically, we compile and share relevant information with the identified contact of the organization. This process relies heavily on the accuracy of WHOIS data, emphasizing the importance of keeping this information current.

We expect the organization to take the following steps:

  • Reset the leaked passwords for the affected accounts.
  • Inform their customers about the breach, advising them to reset passwords on other services where they may have used the same credentials.
  • Investigate potential abuse of leaked accounts, for instance by analyzing login activity for unusual IP addresses or patterns.
  • Notify the CNPD within 72 hours if there is evidence of unauthorized access to accounts, as required by GDPR. Such incidents are classified as data breaches and must be reported accordingly.
  • Improve Authentication and Auditing if MFA (Multi-factor authentication) is available, we recommend to enable MFA for the users accessing the organization’s infrastructure.

Rationale

While we understand the operational and financial implications of handling security notifications, prioritizing data protection is essential for both the organization and its customers. As the CERT for Luxembourg’s private sector, operating under NIS regulations, our goal is to minimize the economic and reputational damage of security incidents while ensuring regulatory compliance.

Here are the key reasons why this approach is critical:

  • Legal Obligations: Organizations have a legal duty to protect customer data. Unauthorized access must be reported to the CNPD within the 72-hour window required by GDPR. Failing to do so can lead to significant legal penalties.

  • Customer Trust: Customers are more likely to trust notifications from their service provider rather than from a third-party CERT. Direct communication from the organization can reassure users and prompt them to take action, such as resetting their passwords. Additionally, the organization can automate mass password resets and provide tailored guidance, further reducing risks to its infrastructure and customers.

  • Direct Contact Limitations: In many cases, the leaks lack customers’ email addresses and contain only user names, limiting our ability to notify users directly. Organizations, however, have this access and can communicate with their customers more efficiently and effectively.

  • Proactive Security: Organizations should take immediate actions such as resetting passwords, notifying users, and conducting forensic investigations into potential breaches. Early and decisive action helps identify compromised accounts and limits further exposure, improving overall security posture. Incorporating these steps into regular risk assessments and technical controls is a proactive way to ensure readiness for potential incidents.

In conclusion, we believe that involving organizations in the communication process with their customers is the most effective strategy. This ensures compliance with legal obligations, maintains customer trust, and allows for a more comprehensive investigation of potential risks to the organization’s infrastructure.

References

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 29th August 2024