Password vulnerability at Fortune 1000 companies
Despite often repeated advice of using unique passwords for online accounts – or at least the most critical ones – password reuse continues to be rampant. And, according to breach discovery firm SpyCloud, employees of the Fortune 1000 are just as bad about reusing passwords as the rest of us.
Compromised credentials
The company has combed through their database of breach data for data tied to Fortune 1000 companies, analyzed it and found that employees in media companies are the worse when it comes to password reuse (rate of reuse: 85%), and those is retailing the best (53%), although even they still reuse passwords way to much.
They also found that the credentials of 127,083 C-level Fortune 1000 executives are available on the criminal underground and that, on average, companies in the Hotels, Restaurants & Leisure sector have the most exposed C-level executives.
“The most common passwords for the Media industry are mostly unprintable. But for Fortune 1000 employees with family-friendly passwords, popular themes include first names, company names, and simple strings of numbers and letters (123456, abc123, password),” they added.
“While most of these examples would fail to pass basic corporate password policies, people tend to transform a base password in predictable ways to bypass complexity rules. For example, ‘password’ might become ‘Password1’ or ‘Passw0rd!’ at work. Unfortunately, criminals are well-aware of these patterns, and sophisticated account checker tools make it easy for criminals to test variations of exposed passwords at scale.”
Other compromised assets
Personally identifiable information, phone numbers, geolocation data, financial information, social media accounts, and secret answers to security questions also get compromised and exposed online.
This data can be used by cybercriminals to steal a victim’s identity, create credible spear phishing messages, submit fraudulent applications, perform SIM swapping and phone porting, make fraudulent purchases, drain funds from accounts, connect the dots between personal and corporate identities (and use that info for targeted attacks), and more.
Interestingly enough, SpyCloud found that employees in the telecommunications sector have the highest average numbers of exposed PII assets, phone assets, geolocation assets, and plaintext corporate credentials per company.
“Although the companies within this sector are large, with an average of about 74,000 employees per company, employee totals do not account for the disparity,” they noted.
“It’s possible that employee tenure could have something to do with the sector’s high exposure levels. Employees who have owned their corporate email accounts for many years would have had plenty of opportunities to use them on third-party sites. Conversely, high levels of churn could also potentially play a part, with many short-term employees racking up a few exposures each before moving on.”