Though data breaches have the potential to expose corporate secrets, finances, and intellectual property to prying eyes, a more insidious problem for the enterprise is the issue of leaked credentials.
Email and network usernames, passwords, and related information may also form a major part of the corporate data leakage that follows a serious breach. And since these identifiers may be used across a range of platforms outside the enterprise itself, their exposure risks the escalation of potential damage. This applies both to the individuals concerned, and to the organizations that they work for.
Leaked Credentials – A Very Real Problem
The credential monitoring firm VeriClouds recently published a report highlighting the presence of credentials from Fortune 500 employees, discovered in account leaks posted online. Drawing from a pool of 8 billion stolen credentials gathered over three years, the study compared the total number of employees in each Fortune 500 company against the number of unique credentials for each company identified online in data leaks.
On average, it was discovered that employee email credentials from 10% of all Fortune 500 companies have been leaked in some form of data breach. In the telecommunications sector, an alarming 23% of employee emails were found in data leaks, while the energy and financial sectors recorded leakages of 18% and 17%, respectively.
Another report published recently suggests that the web currently hosts leaked credentials of employees for 97% of the top 1,000 global companies – many stemming from third-party data breaches. The research conducted by Digital Shadows found the most significant breach looked at was the incident of LinkedIn which accounted for over 1.6 million credentials for the 1,000 companies studied, in the years since its first occurrence in 2012 and the online dump of user credentials earlier this year.
The most often cited example of the severity of such leakage was the release on the Dark Web in late 2017 of a single 41-gigabyte database file containing 1.4 billion username and password combinations. The discovery of the file by security researchers at 4iQ revealed the presence within it of plain text records from a range of organizations including LinkedIn, Netflix, MySpace, the Zoosk dating site, adult website YouPorn, and the Minecraft and Runescape gaming platforms.
“So what?” you might ask. It’s just an internal problem for the companies concerned.
Not true. The online presence of enterprise email credentials and other employee data represents a potential treasure trove for fraudsters, identity thieves, account hijackers, extortionists, and cyber-criminals of every kind. The threat is magnified by a number of factors which extend the leakage beyond the corporate firewall and supply chain ecosystem to the world at large.
Leaked Credentials – The Issue of Third-Party Platforms
Despite the best will and the tightest security policies in the world, it’s often impossible to restrict the use of corporate credentials to internal applications and processes. Job titles, personal identifiers, and work email addresses must of necessity be used when dealing with external agencies like suppliers, vendors, financial institutions and payment platforms.
With the cloud and “as a Service” economy continuing to expand, the use of corporate credentials for maintaining third-party accounts has become a business requirement. So too is the use of these credentials on social media platforms, for marketing purposes and customer engagement.
Security lapses and data breaches affecting any of these third-party agencies have the potential to cause enterprise credentials to be leaked. And that’s only from the legitimate business use of employee credentials on various platforms.
Leaked Credentials – The Trouble With Passwords
Employees will often use their job titles, work email addresses, and other business-related information when engaging with social media, payment platforms, and other open venues for purposes other than those strictly related to their jobs. It’s this kind of activity which in some part explains the prevalence of corporate credentials in data breaches discovered at websites like the Ashley Madison “infidelity dating” agency.
Besides the potential to the enterprise for embarrassment and extortion due to individual acts of indiscretion, leaked credentials can and do make their way online, due to the more prevalent practice of bad password management.
In many instances, employees will use a single variant of one password across multiple online accounts – from “Johndoe1” to JohnDoe2” or “JohnDoe123” and so on. A set of two or three not so different passwords may be used across email, banking, online purchases, and other activities.
The leakage of one set of credentials may potentially give cyber-criminals enough information to reconstruct a complete digital identity for a single person. Assuming and trying out logical variations of those credentials may give them access to numerous accounts – both within and outside their corporate environment.
Expanding Horizons for Attack
The information within a leaked credentials document may include a full spectrum from dates of birth, email addresses, names, phone numbers, passwords, security questions (with answers), and physical addresses, to more specific data like ethnicity, gender, sexual orientation, relationship status, payment histories, and website activity.
Leaked credentials may be exploited by cyber-criminals in a number of ways. Account hijacking, identity theft, extortion schemes, and spear phishing campaigns are among the most common. And with the reuse of passwords across multiple accounts or platforms, the “expiration date” for credentials leaked months or even years before may be greatly extended, allowing attackers to benefit from the wealth of information available to them online, for years to come.
The release of leaked credentials online makes these resources available for exploitation by perpetrators of all kinds – ranging from individual fraudsters through to nation state actors and organized criminal or terrorist networks. With the expansion of corporate networks to include cloud-based platforms and an ecosystem of supply chain partners, there’s scope for using compromised credentials to gain access to a huge selection of individuals, organizations, and resources.
Effective Strategies for Defense
For individuals and corporations, an effective defense must start with the basics of strong password creation and management. The enterprise can assist in this by drawing up firm guidelines for the generation, regular renewal, and storage of passwords and personal credentials. The use of password manager applications should be actively encouraged, in this regard.
Given the password reuse problem, security policies should include restrictions and penalties concerning the use of enterprise email addresses and other work-related credentials for non-business purposes, and the use of variants of any of these across different services or platforms.
Multi-factor authentication should be actively enforced across all internal and third-party software, infrastructure, and platform service accounts, as an added layer of security defense.
Since in many of the more notorious cases of credential leakage full database records were made available to attackers in plain text form, the enterprise-wide deployment of strong encryption technologies and practices must be considered a priority. The Ashley Madison breach was largely assisted by the platform’s use of the vulnerable MD5 hash protocol to protect user passwords – and this lesson of history should be taken on board when selecting appropriate cryptographic protocols.
Data shredding and secure methods of deletion should be employed at all levels of the organization, to ensure that files and information that’s assumed to be discarded actually remain unrecoverable.
Network security and access controls should be reviewed, with an eye to strengthening the organization’s resistance to infiltration, and improving its stance on threat detection and prevention.
Finally, an active and continuous program of credential monitoring and verification should be adopted, to provide real-time authentication and risk mitigation.
Share this Post