Many CSOs live in fear of waking up to an email reporting a data breach at their company, but the threat to an enterprise isn’t limited to a compromise of that specific organization. A new report shows that there are leaked employee credentials online for 97 percent of the top 1,000 global companies, many of which came from third-party breaches.
The last few years have seen a number of large-scale breaches at popular sites and companies, including LinkedIn, Adobe, MySpace, and Ashley Madison, and many of the credentials stolen during those incidents have ended up online in various places. Corporate employees, like most other users, often reuse their credentials in several places. But the worrisome thing is that many of them are using their work email addresses and passwords as credentials on third-party sites.
“It’s perhaps of little surprise that the breaches impacting the global 1,000 companies the most were LinkedIn and Adobe – both services that employees can be expected to sign up to such services with their work accounts. However, there were also less expected sources,” Michael Marriott of Digital Shadows, which performed the new research, said in a post.
“The high level of corporate credentials from MySpace, for example, should cause organizations to pause for thought. Worse still, gaming sites and dating sites also affected organizations. For Ashley Madison alone, there were more than 200,000 leaked credentials from the top 1,000 global companies of the Forbes Global 2000.”
The research from Digital Shadows found that the most significant breach for the global 1,000 companies it looked at was the LinkedIn incident. The breach occurred in 2012, but a large set of users’ credentials was dumped online earlier this year, extending the ripple effect from the compromise. Digital Shadows found more than 1.6 million credentials online for the 1,000 companies it studied. Adobe’s breach was next on the list, with more than 1.3 million credentials.
“As a result of these breaches it is clear that, irrespective of size, industry or geography, the vast majority of organizations have credentials exposed online. Before resetting passwords, an organization’s first step should be to determine if their credentials have previously been exposed,” the company said in its research paper.
“This is wise, given that 10 percent of breaches were duplicates. After all, the process of resetting password causes friction for organizations. In order to achieve this, an organization may either collect and validate the data itself, or with the help of third party services.”
Attackers use leaked credentials in a variety of ways, typically in attacks such as spear phishing, account takeovers, and extortion attempts. And unfortunately, the age of leaked credentials may not matter much. Even if a user knows her credentials from one service have been compromised, she may not think to change a reused password on other sites, leaving them open to compromise down the road.