Digital Shadows has found that, for the largest 1,000 organizations in the world, there are more than 5 million leaked credentials. The company said in blog-for companies that were the victims of breaches, there are clear reputational, brand and financial implications. The breaches impacting the global 1,000 companies that most were heists at LinkedIn and Adobe-both services that employees can be expected to sign up to with their work accounts. The high level of corporate credentials in the 360 million stolen from MySpace. Gaming sites and dating sites also affected organizations.
The report also found that the UK is one of the most affected regions in the world-with an average of 9,000 average leaked credentials per company. Whilst many claimed breaches are often simply copies and reposts of previously leaked database this number is lower than expected-only around 10% of claimed breached credentials are duplicated.
Social media and BYOD are the biggest internal security threats for every organization because it is hard to control and monitor every employee. For LinkedIn and Adobe, I can understand why there is a high chance to get your work account from it. I was surprised that dating and gaming sites also threat organizations. One thing that I can think to mitigate the risk of leakage is warning your employees not to use their work account and email in any other website, not even for LinkedIn. Other than this, social media is still a great external threat for any organizations.
link: http://www.infosecurity-magazine.com/news/97-of-top-1000-orgs-suffer/
These password breaches are not just a risk to internal employee credentials, but also a risk to companies that have customer facing websites. With the hacks referenced in these articles, many companies are seeing a rise in brute force password attacks on their sites with hackers attempting to use the same or similar passwords associated with credentials that were hacked.
I think companies should have a responsibility to prevent these brute force attempts (e.g. locking accounts out after a number of invalid attempts and monitoring for abnormal login activity). Anyone else have any thoughts on this?
Jason, thank you for asking the question. I do think companies should take the responsibility since it relates to their own benefits. I believe they are eager to find a solution to protect all the passwords. There are many software that help store password but self awareness of employees is also very important.