Jan. 19, 2008 - Password breach notification

Last month, a Clareity staffer was one of hundreds of thousands of people that received an email, phone call, and letter providing breach notification from their long distance company. What had been illicitly accessed? Just the email address, username and password from their online account.

While no 'traditionally' sensitive information, such as bank account or credit card information, could be accessed using that information the company still had to go through an expensive breach notification process. Why? Because it was possible that the username or email address, in combination with the users' passwords could have been used to access other sites online where sensitive information could be accessed, purchases made and so forth! This is just another example of why traditional username/password authentication is obsolete.

Thankfully, in this case, the Clareity staffer had been smart and does not re-use passwords between web sites - but it could have been much worse - and was for many others.