Nearly every large company has had at least one employee whose email address and password have been leaked in a recent breach, putting those companies at risk of attack, especially if their workers reuse their passwords, according to research by security firm Digital Shadows.
The firm analyzed its database of compromised credentials available online, searching more than 19,000 domains associated with the top 1,000 international companies. Digital Shadows' database of compromised credentials comes from more than 30,000 claimed breaches over the past two years. The company found that digital criminals had claimed to have compromised more than 5.5 million credentials from 97 percent of the top 1,000 global companies.
While the credentials are for online services that may not directly impact the victim's employer, many users reuse their username and password. In addition, an attacker with a valid email address can more effectively mount a phishing campaign against a specific company, Rick Holland, vice president of digital strategies for Digital Shadows, told eWEEK.
"We have seen in our customer base where this has been an issue, where replaying those credentials has been a challenge for them," he said. "One of their big questions they want to know is, 'What do we need to do to not be impacted by someone else's breach?'"
Data breaches have become a widely reported problem for companies. Major compromises, such as the 2013 credit-card breach of retail giant Target, are uncommon, but the theft of credentials can often cause more damage to victims than the loss of a credit-card number.
In a 2012 breach, which only came to light this year, attackers gained access to Dropbox credentials through the likely reuse of an employee's password. Online storage provider Carbonite initiated a password reset in June 2016, after it discovered that credentials used by its employees for a compromised online service were being used to attempt to gain access to its systems.
So far in 2016, there have been 687 documented breaches, compromising at least 28.7 million records, and the final tally for the year will likely surpass the 781 documented breaches in all of 2015, according to data from the Identity Theft Resource Center.
Accounts that only require a username and password are the fundamental problem. While many companies have talked about replacing passwords—and there are significant security reasons to at least augment the simple security measure—passwords continue to remain the most commonly used security measure.
In a survey of U.S. businesses, Software Advice found that about seven out of every 10 companies only use passwords, although some require randomized passwords. Of the rest, 17 percent of companies use multifactor authentication and 14 percent use a password manager.
"Passwords are not going away for a very long time," Holland said. "The adversaries are building up their own databases" to collect credentials exposed in past breaches.
The relative weakness of passwords is exacerbated by the large portion of users who reuse passwords. Recent estimates of reuse vary from 59 percent to 73 percent. While workers may heed advice not to reuse their corporate credentials, history has shown that reuse continues to pose a danger.
Multifactor authentication will help mitigate the threat, and companies should move to adopt it as soon as possible, Holland said.
"If you have multifactor authentication widely available on your external-facing services, these attacks might not be a big issue," he said. "Yet, multifactor is not as widely deployed as it should be."