Company Credential

Retailers exposed when employee reuse ID

The retail industry has taken hard hits from cyber attackers over the last several years, thanks to the highly publicized Target and Home Depot hacks along with hundreds of other incidents—there were nearly 160 retail breaches confirmed in the most recent, annual Data Breach Investigations Report from Verizon—the industry accounts for about 14 percent of all lost or stolen data records since 2013, according to an ongoing tally published by BreachLevelIndex.com. Among all sectors, that’s second only to the technology industry.

To lend further insight into the topic, Digital Shadows conducted an analysis of the top 1,000 companies on the Forbes Global 2000 list. With Digital Shadows SearchLight proprietary tool, the company was able to continuously monitor and collect corporate email/password breaches between April 2014 and June 2016 on social media, forums, “dark web” sources, criminal sites and “paste sites.”

Here are some results from businesses in the retail sector:

  • There were an estimated 157,000 unique breached email and password combinations linked to retailers. The personal and household goods subsector accounted for the most (36 percent), followed by apparel (22 percent), food (21 percent) and discount stores (10 percent).
  • Many retail employees and execs re-use their corporate emails for non-business or “unofficial business” outlets such as social media. Therefore, it should come as no surprise that social media sites represented a wealth of the breaches, including LinkedIn (with more than 72,500 occurrences) and MySpace (more than 30,740).
  • Outside of social media, we found nearly 42,000 leaks connected to Adobe and just over 3,200 to iMesh. Ashley Madison and other dating websites served as the source for more than 5,570 leaks—leaks which expose employees’ personally identifiable information (PII), partial credit card numbers and even their sexual preferences.

Why Data Breaches Matter

Our analysis probably comes as good news to cyber criminals, who are eager to leverage credential breaches to target the employees’ organizations. Here are five incidents and trends which illustrate how:

Account takeover. The alleged re-use of passwords stolen during a LinkedIn breach led to a Dropbox attack. Workers neglect to change passwords for years, using them for multiple services, making it too easy for hackers to take advantage.

Spear-phishing. In June 2016, Germany’s Computer Emergency Response Team for federal agencies (known as CERT-Bund) reportedly detected spear phishing emails sent to executives. Threat actors crafted personalized emails using the target’s first name, last name, job role and company name to send malicious, macro-enabled Microsoft Word documents.

Credential-stuffing. This occurs when adversaries automatically inject breached user name and password pairs in order to fraudulently gain access to accounts. The adversaries then hijack the account for a variety of purposes, such as spamming in-boxes, stealing funds and accessing PII.

Post-breach extortion. Hackers collected more than 200,000 corporate email addresses during the 2015 Ashley Madison attack. The cyber criminals then tried to extort victims, threatening to reveal the information to victims’ partners if they didn’t send payments via Bitcoin.

Spam emails. These credentials are valuable for spam campaigns, easily swiping email addresses.

Companies Need a Plan

Enterprises must protect themselves from compromises linked to breached email accounts and passwords. Here are best practices to consider:

  • Develop clearly stated policies to determine which kinds of external services are allowable for corporate email accounts.
  • Deploy an enterprise password management solution for secure storage/sharing and password creation/diversity.
  • Proactively monitor for “credential dumps” relevant to your accounts.
  • Establish multi-factor authentication for external corporate services.
  • Evaluate and document any internal services that aren’t federated for faster and more complete incident response.
  • Implement an emergency password reset process to include all user accounts.
  • Through user behavior analytics tools, import compromised identity information while detecting suspicious activity.
  • Train your employees – and then train them some more.

By fully identifying and mitigating the practices which leave businesses vulnerable—and then investing in employee awareness training—you’ll greatly reduce risk while cultivating a more educated workforce. That’s a win-win proposition in the age of cyber exposure.

This article originally appeared in the May 2017 issue of Security Today.

Featured

  • President Biden Issues Executive Order to Bolster U.S Port Cybersecurity

    On Wednesday, President Biden issued an Executive Order to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity and more Read Now

  • Report: 15 Percent of All Emails Sent in 2023 Were Malicious

    VIPRE Security Group recently released its report titled “Email Security in 2024: An Expert Look at Email-Based Threats”. The 2024 predictions for email security in this report are based on an analysis of over 7 billion emails processed by VIPRE worldwide during 2023. This equates to almost one email for everyone on the planet. Of those, roughly 1 billion (or 15%) were malicious. Read Now

  • ASIS Announces ANSI-Approved Cannabis Security Standard

    ASIS International, a leading authority in security standards and guidelines, proudly announces the release of a pioneering American National Standards Institute (ANSI)-approved standard dedicated to cannabis security. This best-in-class standard, meticulously developed by industry experts, sets a new benchmark by providing comprehensive requirements and guidance for the design, implementation, monitoring, evaluation, and maintenance of a cannabis security program. Read Now

  • ISC West Announces Keynote Lineup

    ISC West, in collaboration with premier sponsor the Security Industry Association (SIA), announced this year’s dynamic trio of speakers that will headline the Keynote Series at ISC West 2024. Read Now

    • Industry Events

Featured Cybersecurity

Whitepapers

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3