CREDENTIAL COMPROMISE FROM THIRD-PARTY SITES

Too Long; Didn't Read

Credential compromise is an ever-growing concern for organizations nowadays. The volume of exposed corporate credentials has nearly tripled between 2016 and 2017 according to a recent report, which also claimed that nearly 77% of the Financial Times Stock Exchange 100 were exposed with an average of 218 stolen credentials per organization in a 3-month span. Most credential exposures occur beyond the company’s perimeter due to the vulnerabilities in third party websites where employees use their business email to sign up. The existence of these corporate credentials on the web makes organizations vulnerable to corporate espionage, social engineering, spearphishing, and credential stuffing, which is the use of an extensive pool of exposed corporate credentials to breach other systems where the same credentials might have been used. Many organizations remain unaware about online data breaches and the risks involved. If an employee created an account on an online service (such as social media) with their business email, following which that online service suffered a breach and the credential data was leaked, that employee’s password or password hash may be available to attackers. In case the employee used the same password on that online service as they do for their business email/VPN, this can result compromise of business credentials and unauthorized access.