Data breaches and credential compromise are not new. After all, 2014 was known as the “year of the data breach”. Last year was similarly dubbed the “year of the breach”. In 2016, we have witnessed even yet more data breaches made public, including LinkedIn, MySpace and Dropbox. Data breaches are no longer an aberration; they are the norm.
For companies that were the victims of breaches, there are clear reputational, brand and financial implications. Indeed, a recent study by ENISA provided a great overview of the studies that have attempted to enumerate these costs.
So what about the indirect impact of the breaches? Organizations with employees who have reused corporate emails and passwords can also be at risk. These organizations suffer from the “collateral damage” of the initial breaches. Indeed, our latest research paper found that, for the largest 1,000 organizations in the world, there are more than 5 million leaked credentials.
It’s perhaps of little surprise that the breaches impacting the global 1,000 companies the most were LinkedIn and Adobe – both services that employees can be expected to sign up to such services with their work accounts. However, there were also less expected sources. The high level of corporate credentials from MySpace, for example, should cause organizations to pause for thought. Worse still, gaming sites and dating sites also affected organizations. For Ashley Madison alone, there were more than 200,000 leaked credentials from the top 1,000 global companies of the Forbes Global 2000.
But organizations can just reset their passwords, right? It’s not quite that simple, unfortunately. Password resets can cause a lot of friction for organizations and so it’s necessary to first ascertain whether the breach information is unique, or is simply re-posted, old information? Indeed, 10 percent of the claimed leaked credentials in our report were duplicates.
Even with unique leaked credentials identified and passwords reset, compromised credentials hold significant value for cybercriminals. The information can be used for botnet spam lists, extortion attempts (as was the case with Ashley Madison), spear-phishing, and account takeover.
Companies need to develop an understanding of the impact of these data breaches. Our latest research paper analyzes this information to understand trends, outlines how adversaries are using this information and, most importantly, what you can do to prepare for and mitigate instances of credential compromise.