Employee credentials of half of European top 500 firms exposed online

Cyber attacks and data breaches very often start with phishing or spear-phishing. Access to good credentials is key – whether it’s for straight emailing or direct access to target email systems, etc.

Web intelligence firm Recorded Future has recently scoured the Web’s underbelly, including paste sites and forums, for exposed corporate credentials (emails and passwords), and found that 49 percent of Europes’s largest companies have had credentials belonging to their employees exposed online.


“These 244 companies account for 57% of top banks, 50% of oil and gas producers, and 64% of mobile telecommunications companies in the FT 500 Europe (a Financial Times listing of Europe’s top companies),” the company’s Special Intelligence Desk noted in the report (registration required) released during Infosecurity Europe 2015.

In addition to this, many critical infrastructure companies – utilities, healthcare providers, defense contractors – have had their network credentials exposed on the open Web in just the last six months.

“Most of these exposures occurred outside the companies’ reach due to vulnerabilities in third-party websites or employee use of work email accounts to register for a Web-based service,” the researchers pointed out.

“The presence of these credentials on the open Web leaves these FT Europe 500 companies vulnerable to corporate espionage, socially engineered cyber attacks, and tailored spear-phishing attacks against their workforce.”

Often the found passwords are too simple and, therefore, weak, and some companies didn’t even bother changing default ones, even when they were for website administrative accounts.

The researchers also found plenty corporate email addresses traded and shared on paste sites, which can be used for spear-phishing attacks.

Companies are mostly unaware of this, and are never notified of it by paste sites after they remove the information. And even if this information is removed, it doesn’t mean that it’s not still in the hands of the original attackers who compromised it, and that they won’t attempt to use it or sell it.

The researchers did not name the 244 companies, but those who suspect they might be exposed are welcome to contact the company and check whether their suspicions are true.

They also shared some advice on what companies should do to minimize the risk of leaked credentials, which includes developing clear policies on employee use of company credentials on external sites, enabling multi-factor authentication, requiring employees to change passwords often, tagging webmail login pages to prevent listing in search engines, and maintaining awareness of third-party breaches and routinely assessing exposure.