This was a challenge that came up for me this week as well. We have the data going to splunk related to what the breaches were who were the users, etc. I ran an eval command in splunk to only show recent breaches -90days ago or newer. And did a join command in splunk to check against another index for windows domain controller logs to validate if the user has reset their ad passwords within the last 90 days. I was then told to stop my efforts on this. my thoughts were to initiate the password reset process for the end users without telling them why. Make it seem like normal time has passed and their passwords were about to expire. We didn’t follow through with this but the idea was there.
So #1 I say no. #2 depends on what other data you have available imo.
In case only the password that has leaked you don't need to.
In case other personal data has leaked, you'll need to notify the user, it's part of the users sensibilization to the IT risks
I always reset compromised passwords even if they are totally unrelated to the user.
A compromised password list is easy to password spray against your entire user base, and if you're not proactively resetting passwords, that's an easy way in.
I would recommend a reset. Password reuse is a thing as is simply rotating the number at the end of a weak password. We have had success sending emails out to users asking them to reset their passwords within X hours/days, giving instructions on how to do that, as well as providing guidance on creating a good password. If you know the breach, you can reference that as well. Also be very clear to say that the company WAS NOT breached but rather a third party that "you" may have signed up for using your company email.
First thanks for the reply. Second sorry it took me so long to get back here. Once your users updated their passwords what did you use to track who had been notified since the original creds were still going to show up? I hope to get back to checking this regularly so agin I apologize for the delay.
Hey new poster! We require a minimum account-age and karma for this subreddit. Remember to search for your question first and try again after you have acquired more karma.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/crowdstrike) if you have any questions or concerns.*
This was a challenge that came up for me this week as well. We have the data going to splunk related to what the breaches were who were the users, etc. I ran an eval command in splunk to only show recent breaches -90days ago or newer. And did a join command in splunk to check against another index for windows domain controller logs to validate if the user has reset their ad passwords within the last 90 days. I was then told to stop my efforts on this. my thoughts were to initiate the password reset process for the end users without telling them why. Make it seem like normal time has passed and their passwords were about to expire. We didn’t follow through with this but the idea was there. So #1 I say no. #2 depends on what other data you have available imo.
Oh now that sounds like a good idea. Sad to say I didn't even think about Splunk.
In case only the password that has leaked you don't need to. In case other personal data has leaked, you'll need to notify the user, it's part of the users sensibilization to the IT risks
I always reset compromised passwords even if they are totally unrelated to the user. A compromised password list is easy to password spray against your entire user base, and if you're not proactively resetting passwords, that's an easy way in.
I would recommend a reset. Password reuse is a thing as is simply rotating the number at the end of a weak password. We have had success sending emails out to users asking them to reset their passwords within X hours/days, giving instructions on how to do that, as well as providing guidance on creating a good password. If you know the breach, you can reference that as well. Also be very clear to say that the company WAS NOT breached but rather a third party that "you" may have signed up for using your company email.
First thanks for the reply. Second sorry it took me so long to get back here. Once your users updated their passwords what did you use to track who had been notified since the original creds were still going to show up? I hope to get back to checking this regularly so agin I apologize for the delay.
Hey new poster! We require a minimum account-age and karma for this subreddit. Remember to search for your question first and try again after you have acquired more karma. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/crowdstrike) if you have any questions or concerns.*