Employees who use their work email address for personal use put organizations at risk. Many organizations have likely had their email credentials compromised without realizing it. The majority of these come from breaches of social media, gaming, and dating sites. These findings point to the fact many employees use their company email addresses to register for personal online accounts.
When email credentials are compromised, individuals and organizations may fall victim to:
- Account hijacking: When hackers have both the email address and password for an email account, they are able to change the password and take over the account. They can then use the hijacked account to carry out malicious activities, such as sending spam and distributing malware.
- Spear phishing attacks: Cybercriminals often use compromised email credentials in spear phishing attacks. For example, in June 2016, hackers sent spear phishing emails to corporate executives in Germany. To create these emails, the cybercriminals used email credentials and other information (e.g., person's first and last name) obtained from the 2012 LinkedIn data breach, according to Germany's Computer Emergency Response Team (CERT-Bund).
- Credential stuffing attacks: Since people tend to reuse passwords, hackers sometimes launch credential-stuffing attacks, especially if they obtain a large number of credentials from a breach. In this type of attack, distributed botnets try using the credentials on high-value websites. This automated testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.
Contact Mike Wilson at michaelwilson1@cwi.edu or 208.562.3193 with questions or for more information, and stay tuned for more tips and information on cybersecurity awareness in future issues of Bert’s Alerts.