Digital Shadows has released its Compromised Credentials research paper which analysed the largest 1,000 companies listed on the Forbes Global 2000.
The report found that 97 percent of those companies, spanning all businesses sectors and geographical regions, had leaked credentials publicly available online, many of them from third-party breaches. Credentials for over 5.5 million employees of the world’s largest companies have been found online, as large-scale data leaks become the norm according to the report. The top breaches were from social media platforms with LinkedIn, MySpace and Tumblr breaches being responsible for a respective 30 percent, 21 percent and eight percent of the total credentials.
The report revealed that the most affected country in the Middle East – with over 15,000 leaked credentials was the UAE. Saudi Arabia (3360), Kuwait (203) followed by Qatar (99) made up the rest of the list. This figure is relatively small as compared to the global figure due to the lower percentage of organisations that reside in the Middle East.
In the Middle East, organisations in the Technology industry were far more exposed than any other, dwarfing financial services, oil & gas and chemicals.
“The world used to be about your perimeters and your network. Recently there have been shifts as a result of social media, cloud and mobile. Which means that quite often, when information is getting online, it’s not from the company; it’s from a third party like a contractor somewhere in the company’s supply chain. Data breaches are no longer an aberration; they are the norm. With credentials for over 5.5 million employees of the world’s largest companies having been found online and with 97 percent of the top 1,000 companies suffering from credential compromise, it is clear that, irrespective of size, industry or geography, the vast majority of organisations have credentials exposed online. Compromised credentials hold significant value for cybercriminals as the information can be used for botnet spam lists, extortion attempts, spear-phishing and account takeover,” said Chris Brown, Digital Shadows VP EMEA and APJ.
The report also revealed that it is not quite as simple as organisations just resetting their passwords. Password resets can cause a lot of friction for organisations and so it’s necessary for IT departments first need to figure out whether the information stolen from a breach is unique, re-posted, or outdated information. 10 per cent of the 5 million leaked credentials in the report were actually duplicates which can cause even more confusion for an organisation that has suffered a breach. In order for organisations to prepare themselves for the inevitable data breach they need to first understand the impact of a breach and what they can do to prepare their employees and business for credential compromise.