Nearly one in three world-class CEOs are compromised after using a service that was later breached. This is according to a recently released research, which found that 30 percent of CEOs of top companies across the globe had experienced having their password leaked on an online service they registered for using their work email. Focusing on CEOs at over 200 of the biggest companies in ten countries, the most common breached services CEOs used or linked their company email to are LinkedIn (53 percent) and Dropbox (18 percent), followed by Adobe and Myspace.
The research by F-Secure also reveals that 81 percent CEOs have likely leaked their emails and other personally identifiable information (PII) such as physical addresses, birthdates, and phone numbers, which were leaked via spam lists and leaked marketing databases. CEOs in the UK, USA, the Netherlands, and France were most prone to leaking their information in this manner, while CEOs hailing from Italy and Japan were at the bottom of the list. The research involved cross-matching company email addresses of CEOs against a publicly available database of leaked credentials.
The release of the findings comes on the heels of the Federal Bureau of Investigation’s (FBI) warning that Business Email Compromise (BEC) attacks are on the rise and have already cost businesses worldwide billions of dollars. BEC attackers have been found to carefully research and closely monitor their potential target victims and their organizations.
Mitigating the effects of leaked information
The leak of company email passwords due to the linking of work email and online services can gain cybercriminals’ access to corporate networks, and cause a wide range of damage ranging from intellectual property theft to huge financial loss. To mitigate this threat, users should practice good password hygiene by using complex texts and characters. The 2016 Verizon Data Breach Investigation reports that 63 percent of confirmed data breaches involved weak, default, or stolen passwords. Enabling 2FA for email, social media, and other online apps can also prevent unauthorized access to your accounts.
For businesses that already have security policies restricting the information employees can divulge on online services such as LinkedIn, they should consider expanding to online dating sites or apps since attackers can also leverage sensitive information from these sites to gain a foothold into an organization.