Many companies likely have had their email credentials compromised without realizing it. In September 2016, researchers revealed that they found about 5 million unique business email credentials stored in hackers’ dump sites and other underground cyber markets. When the researchers crosschecked the compromised email addresses against the domains of the top 1,000 companies in the FORBES Global 2000 list, they found that 97 percent of those organizations had at least one of their email addresses listed for sale in the underground cyber markets.
The compromised business email credentials came from data breaches that occurred between April 2014 and June 2016. While some of the credentials were obtained from company breaches, the majority came from breaches of social media, gaming, and dating sites. These findings point to the fact that many employees use their company email addresses for personal online accounts.
Using company email addresses for personal use puts businesses at risk. If those email credentials are compromised, the companies might fall victim to:
- Account hijacking: When hackers have both the email address and password for an email account, they are able to change the password and take over the account. They can then use the hijacked account to carry out malicious activities, such as sending spam and distributing malware.
- Spear phishing attacks: Cybercriminals often use compromised email credentials in spear phishing attacks. For example, in June 2016, hackers sent spear phishing emails to corporate executives in Germany. To create these emails, the cybercriminals used email credentials and other information (e.g., person’s first and last name) obtained from the 2012 LinkedIn data breach, according to Germany’s Computer Emergency Response Team (CERT-Bund).
- Credential stuffing attacks: Since people tend to reuse passwords, hackers sometimes launch credential stuffing attacks, especially if they obtain a large number of credentials from a breach. In this type of attack, distributed botnets try using the credentials on high-value websites. This automated testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.
To avoid having your company’s email credentials fall into hackers’ hands, you need to have an email policy that explicitly states employees are not allowed to use company email addresses for personal use. You should also educate employees about the dangers of reusing passwords. Your IT service provider can help you with both endeavors as well as help you develop a plan for preventing data breaches within your business.