Employee data leaks from most of world’s biggest firms—and UK tops list
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Credentials discovered from workers at 97 percent of Forbes-ranked companies.
Tom Mendelsohn
The UK has proven particularly
susceptible to data breaches involving compromised employee account
data, according to new research.
Almost every single company ranked by Forbes in its 1,000 biggest in the world list is available to buy online, threat intelligence firm Digital Shadows has said.
E-mail and password combinations belonging to
more than five million people working at 97 percent of the top 1,000
companies are apparently available, including around 300,000 stolen from
adult dating sites like Ashley Madison, Adult Friend Finder, and Mate1.
Each company on the list in Britain has an
average of over 9,000 leaked sets of employee credentials available,
more than in the rest of Europe or North America.
In its report, Digital Shadows said
that "in 2016, we have witnessed even yet more data breaches made
public, including LinkedIn, MySpace, and Dropbox. Data breaches are no
longer an aberration; they are the norm."
The LinkedIn data dump
alone, it's understood, has put more than 1.6 million corporate
accounts into the criminal ecosystem, while nearly 1.4 million Adobe
accounts have been compromised, as well as 1.2 million which were attached to MySpace. Digital Shadows said:
It’s perhaps of little surprise that
the breaches impacting the global 1,000 companies the most were LinkedIn
and Adobe—both services that employees can be expected to sign up to
with their work accounts. However, there were also less expected
sources.
The high level of corporate
credentials from MySpace, for example, should cause organisations to
pause for thought. Worse still, gaming sites and dating sites also
affected organisations. For Ashley Madison alone, there were more than
200,000 leaked credentials from the top 1,000 global companies.
It highlighted five ways in which compromised credentials are used by criminals.
First, companies' public-facing social media
accounts can be taken over; criminals can use "spear-phishing," a
technique which targets high-value senior executives using compromised
internal accounts; credential stuffing
can be used to gain access to other internal accounts for when
employees use the same username/password combination for multiple
applications; post-breach extortion can be used to blackmail users of
sensitive or embarrassing sites like Ashley Madison; and breached
datasets can be used to operate botnets, which then sends out spam or
other malware.
The data is available to buy on the darknet,
often reasonably cheaply. What's more, Digital Shadows found that less
of it than expected turned out to be duplicated; only around 10 percent
of breached credentials were found to be repeats.
"Simply put, too many people are putting their
employer at risk by re-using workplace credentials, such as e-mail
addresses and passwords, for their personal lives," Digital Shadows'
research analyst Michael Marriott told Ars.
"In our sample of the world’s top 1,000
companies we found that, for companies headquartered in the UK, there
are nearly half a million unique leaked credentials being traded by
cybercriminals right now," he added.
"Many of these have leaked as a result of
being used for clear 'non-work' purposes, such as dating and gaming
sites. These compromised credentials hold significant value for
cybercriminals and can be used for botnet spam lists, extortion
attempts, spear-phishing, and account takeovers. It’s vital that firms
get on the 'front foot' and gain cyber situational awareness to spot
leaked credentials before it impacts on their business."
Comments
Post a Comment