Data breaches are common in the news lately, but a recent study by credential monitoring firm Vericlouds focuses specifically on the credentials of Fortune 500 employees found in account leaks posted online.
Using a corpus of 8 billion stolen credentials gathered over three years, the total number of employees of each Fortune 500 company was compared with the number of unique credentials for each company found online in data leaks.
The study finds that an average of 10 percent of all Fortune 500 employee email credentials have been leaked via some form of data breach.
The greater the number of company logins found online, the greater the risk that one of those logins can be used to gain access to company resources. That risk is real; some industry sectors such as Telecommunications were more than double the average at 23 percent of employee emails found in a data leak.
Other higher-than-average sectors exposed included Energy at 18 percent and Financials at 17 percent. That 17 percent represents a total number of 555,000 email credentials found leaked across Fortune 500 financial companies.
The password strength of the leaked credentials was also examined. Overall, the report found that some sectors had large percentages of weak passwords in use. Two of the higher examples were Computers and Office Equipment with 25 percent weak passwords, as well as Transportation with 17.6 percent of exposed passwords being found in the top 100K most common passwords.
These leaked credentials can be difficult for even a Fortune 500 organization to defend against, as the risk may exist completely outside of security staff control.
Steve Tout, CEO of Seattle based VeriClouds, is deeply familiar with this dilemma:
“It is no longer enough to answer, ‘Have I been pwned?’ The risk that compromised credentials pose to (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Ben Layer. Read the original post at: https://www.tripwire.com/state-of-security/security-awareness/fortune-500-credentials-data-leaks/