Maybe 2018 was the first year, when user database breaches became one of the most discussed subject in the cybersecurity world: billions of user data has been leaked from Facebook, Marriot, MyHeritage, Google Plus, just to name some. What’s common in these and the similar cases since the last decade is, that not individual accounts, but large user datasets maintained by tech giants have been hacked and made public. The case of Cambridge Analytica magnified and in some extent muddled the public’s interest in user related databases and data breaches. But the simple truth is this: every Third Party provider can be hacked too, and when it happens, the length of your password won’t do any good, and each online registration will tell more and more about you to the compertitors or the hackers, who make a business by hoarding these data.
In our effort to understand what kind of threats can undermine corporate security, we studied Account Takeover data in many aspects. In the following cases we tried to focus on possible threats caused by the information that can be obtained from these datasets.
First, we looked into a large vehicle spare parts retailer’s leaked credentials, and the most remarkable fact was that almost 80 percent of the accounts used the company name as password (sometimes adding a number to it), and we’ve seen this in many other cases: even today a lot of companies and their employees use the most guessable passwords when registering at third party businesses. A few of them even use a default password for all accounts.
An other finding was that this company’s Chief Security Officer registered on a Web Shop that sells Industrial Security equipment, most likely to upgrade security on the facilities. While his password was strong enough, the Shop he used suffered a data breach due to a cyberattack and through this the login username and the password was leaked. If a hacker wants to target his company, simply runs a search with the company domain, downloads the data and logs in with the employee’s credentials (and sadly in many cases the company password is reused for third party registration, which poses further threat to the company), and can see what type of devices did the security professional buy, the manufacturer of the equipment, and easily can learn existing and new vulnerabilities of that device, or he can practice and experiment with it. The company becomes phisically penetrable. More vulnerabilities can be discovered if the bought equipment was a network security device. Targeting companies this way is pretty easy.
Case study #2
The second company is a larger American retail chain; in this case we’ve found many key officials’ registrations at Third Party services with company emails. Interestingly we’ve found not only email and password combos for dating sites and other social media, but home addresses, home IP addresses, and landline phone number, since these officials used these identifiers to order food from a local restaurant. These data are more than enough to engineer a social hacking attack, which – if successful – can seriusly demage company security, assets and reputation.
Case study #3
When we checked a middle sized company in the Energy Sector, also many email-password combos came up from different providers, and something more interesting from an online gaming breach: IP addresses of employees’ working computers. It is always bad idea to enjoy online games in the workplace, but these IPs revealed local networks of industrial facilities, that companies like to keep “off the grid” (and APT groups love to hunt down). Yet, these addresses ended up in a publicly available breach database and can be traced by looking for the company employees’ email addresses (or the company domain). It was also interesting to learn that the energy company’s two employees were registered on VKontakte, a Russian social media platform.
There are many user credential databases, inlcuding Collection #1-#5, while the most recent and notable addition came after the closing of Cit0Day, an Indian data breach service, adding 23.000 unique databases to the known leaks. These breaches altogether add up to about 14-15 billion records, and in many cases contain other idenitifiers than emails and passwords: IP addresses, phone numbers, credit card numbers, Social Security numbers, home addresses, social media IDs, date of birth, gender, voting preferences, and so on. These data can be used to prepare Ransomware Through Phishing attacks via OSINT and reconnaissance. Again, the data is available on the Dark Web, even if it needs professional knowledge and extensive research to collect them. And this is a problem. And this problem can’t be solved only by good Password Management.
These kind of threats can be avoided if companies and their employees follow a couple simple guideline.
If you assume that Third Party breaches can provide valuable ammunition to market competitors or hackers, don’t use company accounts for every online registration. Although it might cause inconvinience, but in certain cases can be a safeguard from adversary actors.
Keep in mind that a Third Party handling your data can be more targeted by hackers than your company.
A large part of cyber attacks based on successful social hacking campaigns – the first step of defence is preparedness.
Especially in sectors like finance, government, critical infrastructure or if you are a defense supplier.
Also, regularly track and filter outbound network traffic too.