Buffer, a social media scheduling service, Buffer, found itself on the receiving end of a data-breach back in October. The culprit behind the breach was the company’s database provider. The breach resulted in the exposure of user account credentials that led to spam posts on user social media sites.
This breach really highlights a couple of key things that service providers and their 3rd party vendors need to be aware of. First, as a service provider that leverages 3rd parties for other services, they really need to ensure that those parties follow the same if not better security practices for overall business continuity and to avoid embarrassing breaches such as this.
But more importantly, securing the database containing user information is critical. It should be encrypted. There are two ways to secure a database, and specifically things like passwords. The first is to encrypt the passwords stored in the database. If the passwords in the database are encrypted with AES 256-bit encryption, the likelihood of a hacker gaining access to the information is near to impossible.
Cracking AES 256-bit encryption is no small task. There’s a great table in the EE Times that demonstrates the complexity of AES encryption and how long it would take to crack. When looking at the chart in the article, you can see it would take billions or trillions of years to crack AES 256-bit encryption.
The other option that is preferred by those with deep security roots is to not store the passwords at all, ever. Instead, passwords should be stored as a cryptographic hash. A strong one-way hash will ensure that there’s really no way for a hacker to figure out what those user passwords are.
Following one of these practices is the most effective way to ensure that customers have less to worry about regarding the security of their database. Had Buffer’s 3rd party database provider done the same, this breach could have potentially been avoided.