It’s one thing when your iCloud account with personal photos gets hacked. It’s another when your Fortune 500 company has a data breach because your office credentials were leaked online.
At 221 of the Fortune 500 companies, Fortune magazine’s list of the the top 500 U.S. public corporations ranked by gross revenue, employees’ credentials are posted publicly online for hackers to steal and reuse in cyberattacks, according to new research from the web intelligence firm Recorded Future.
Corporations, especially highly sensitive targets like Fortune 500 companies, spend a great deal on securing their networks against hackers, but that could be for naught if an employee carelessly uses his office credentials to sign up for, say, a gaming forum.
The sensitive information can be found on forums and text repositories like Pastebin, which are fertile ground for username and password dumps. Researchers at Recorded Future scoured approximately 600,000 websites for credentials posted between Jan. 1 and Oct. 8, 2014. During their analysis, they found at least one username/password combination at 44% of the Fortune 500 companies, leaving those companies vulnerable to hackers who could use the data to break into networks or mount phishing and social engineering attacks, Recorded Future CEO and cofounder Christopher Ahlberg told Mashable.
These credential dumps are outside the companies’ control, Ahlberg said. The data likely come from third party sites — not from breaches of companies’ servers — where an employee used a corporate email to sign up for something. In the past few years, for example, hackers have breached websites and services like Adobe and Forbes.
One caveat is that there is no way to know whether the password used on a third-party site matches the employee’s password used on his corporate account. In other words, Fortune 500 employees’ information may be posted online — but it doesn’t necessarily that information will lead to a successful compromise.
“It’s a coin flip whether or not these credentials taken from third party sites are valid,” Scott Donnelly, the lead researcher on the report, told Mashable. “But when there’s 10 or 20 from a particular company, then odds are you’ve got one that’s valid.”
Below, the breakdown of the 221 companies listed in the report:
Data from unfortunate-221.silk.co
But having an employee’s username and password isn’t necessarily enough — hackers need to know where to use them. In some cases, Recorded Future also found that the webmail login pages of some utility companies are easily searchable on Google, which makes those companies even more vulnerable if an employee’s credentials are compromised.
The report doesn’t name names — either of companies or individuals — and Recorded Future has not notified any of the companies yet, according to Ahlberg and Donnelly. The goal of their research, they said, is to show that big companies are not immune to huge password leaks.
We’ve seen evidence of that lately.
Two weeks ago, a hacker claimed to have dumped 7 million Dropbox usernames and credentials. In a separate instance in early September, 5 million usernames and passwords appeared on a Russian forum (that information likely came from various earlier hacks, though). And in August, a security firm claimed to have found $1.2 billion credentials stolen by Russian hackers, though the firm’s report has been contested.
The issue with these dumps, even when they don’t involve services like Gmail or Dropbox, is the same: the danger of password reuse. If you always reuse the same password, a hacker doesn’t need to breach Google to obtain your Gmail password; instead, he can get it from your Fantasy Football forum. That’s why Facebook announced last week that it has been actively scouring sites that host dumped credentials to notify users if their password had been compromised.
Ahlberg and Donnelly warn that even more companies have probably been compromised, but those employees’ credentials have not been posted publicly.
“We have a pretty good coverage of the underbelly of the web, but these are just the public posts,” Donnelly said. “We’re highlighting how easy it is for somebody to just open the door and exploit a company because the information is sitting out there. But most certainly, there’s information that’s yet to be published.”
SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:
- View Real-time Screen Snapshot
- Monitor Skype or Other Chat/IM Activity
- Record Emails
- Track web browsing history
- Block access to any website
- Remote PC Maintenance
- Program Activity
If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.
A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.