With the rise of genAI, it’s time to follow Apple’s Security Recommendations

Apple’s Safari browser has a really useful password management feature, which is now also available as a standalone app called Passwords. If you’ve ever taken a look at it, you may have seen a section called Security Recommendations where you’ll find a collection of all the accounts and passwords that might have been compromised. 

If you haven’t already, it’s time to take those collections seriously, because generative AI (genAI) adoption means the scale and nature of the threats posed by purloined passwords and broken IDs is about to grow far greater. That’s because, armed with stolen emails and passwords, criminals will find it relatively easy to throw those credentials at the most popular online services. 

If they know you, they know, you

They do this already, of course. If you have a known email address and password you still use that is now being sold on the dark web (for about $10 a collection), it’s a no brainer for attackers to try it out on a range of different services. Sometimes they may get lucky.

Augmented efficiency just means that using genAI, those same attackers can plough through more of these credentials even more swiftly, enabling them to trundle through huge collections of stolen accounts and passwords fast. Stolen credentials were the big attack vector last year, according to Verizon, and were used in around 80% of exploits. 

There are around 15 billion compromised credentials available online. 

The vast majority of these are useless, which means credential stuffing attacks might not generate much of a success rate. When they do succeed, most victim learn from the experience and secure everything pretty quickly, meaning a very small number of that 15 billion are truly vulnerable. All the same, from time to time they get lucky. And getting lucky now and then is what makes that part of the account login exploitation industry tick. 

Money in the middle

These attacks generate millions of dollars of losses every year. With billions on the planet, there’s probably another fool coming in a minute or two, and you don’t want it to be you. That’s why you should spend a little time and audit Apple’s Security Recommendations regularly, as you don’t want a service you use that happens to have its hooks on your personal, payment, health, or other valuable data to be abused.

That’s true for everyone, but for enterprise users there’s a dual challenge. We all know that employees (including business owners) are and will always be the biggest security weakness in the system. The phishing industry has evolved to exploit this. 

But that tendency is equally threatening when it comes to account IDs, and together poses a double-whammy threat once empowered by AI. How many company-related accounts have slipped and to what extent do these two vulnerabilities work together?

If someone at Iworkatthisbusiness.com foolishly used their work email and complex work password to secure their access to trivialbuthackedwebsite.com, how long might it be until someone figures that out and sees if they can use this data to crack your corporate systems? 

Phisherman’s blues

These attacks don’t even need to be that smart; they can simply be used to analyze personal patterns to help craft super-effective phishing attacks against specific targets. Really sophisticated attackers could turn to a little agentic AI to gather any available social media data on entities they designate as ripe for attack, helping them create really effective phishing emails — Spear AI, as it may one day be recognized.

Artificial intelligence will help with all of this. It’s really good at identifying patterns in disparate data sets, and analyzing the data that’s already been exfiltrated into the world will be a relatively trivial task — it all just comes down to the questions the machines are asked to answer. They can even use identified patterns in passwords to predict likely password patterns based on user data for brute force attacks. I could go on.

Passwords are not the only fruit, of course. 

If you are wise you’ll be using 2FA security and/or Passkeys on all your most important websites, and certainly to protect any with access to your financial details or payment information.

Along with different forms of biometric ID, the industry is shifting to adopt more resilient access control systems — though, of course, subverting those systems is just a new challenge in the cat-and-mouse security game. Only recently, we learned of a new AI attack designed to compromise Google Chrome’s Password Manager, and there will be more attacks of this kind. That’s even before you consider the significance of attacks made against enterprise AI in their own right.

Death to security complacency

The main takeaway is this: You should act on the warnings given to you by Apple’s Security Recommendations tool. You should avoid re-using passwords, no matter where it is. You should use a Password Manager and other forms of security, such as 2FA, and you should very much beware if you receive an email from a trusted source that contains a link to something that sounds like it was made for you; chances are, it was.

Most of all, I want you to check the credentials that have been leaked, change them, close accounts, and delete payment information from any service you don’t intend to use again. As a person or enterprise, you certainly need to build a response plan for what to do if an account is compromised, or suspected to be compromised; security training even for your most experienced employees is almost certainly going to be of value. Most of all, never, ever use one of these passwords. 

Alternatively, ignore Safari’s friendly warning and leave yourself open to having your genuine account credentials being sold online for up to $45 a time.

Why not take the time to secure your accounts? The tools are right there in your browser. What are you waiting for?

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.