Major consumer data leaks have rocked the retail industry in recent years with such heavy hitters as Target and Home Depot seeing their customers compromised by identity thieves. Breaches that pinpoint sensitive credit card information, however, aren’t the only ones occurring on the corporate scene today.
A recent study points out just how vulnerable corporations are to data breaches involving employee email addresses and passwords, which could serve as gateways into companies’ internal workings.
In its study titled “The Fortune 500’s Unfortunate 221,” Recorded Future reported that indicates 44% of Fortune 500 companies have employees with credentials that have been leaked on the Internet.
That adds up to 221 different companies from such industries as finance, technology and utilities.
Recorded Future’s analysis of open source intelligence (OSINT) was centered on corporate email and password combinations that were posted to online forums and paste sites during the period between Jan. 1 to Oct. 8, 2014.
The identification of corporate accounts and passwords was gleaned from Recorded Future’s analysis of more than 600,000 different open web sources spanning seven different languages.
While the leaks represent big vulnerabilities for the corporations, Recorded Future pointed out that most of the exposures did not occur due to direct hacks of corporate networks. Rather, they mainly one-off instances that are the result of vulnerabilities on third-party sites where employees used their corporate email addresses and passwords to sign up for services.
A Breakdown of the Victims
Recorded Future has not named names of the 221 affected Fortunate 500 companies. It has, however, provided a breakdown of the types of industries involved in the breaches. A look at the 221 companies includes:
- 38 from the finance industry
- 35 from the retail and consumer services industries
- 26 technology firms
- 19 public utilities companies
- 19 capital goods firms
- 17 basic industries
- 16 healthcare companies
- 15 energy firms
- 15 consumer non-durables companies
- 11 consumer durables
- 10 transportation firms
The Potential Implications
While it is unknown if efforts have been launched to leverage the stolen credentials, Recorded Future cites a number of potential implications. The credentials could make the affected companies vulnerable to corporate espionage, tailored spear-phishing attacks and socially engineered cyber-attacks, researchers say.
Although it remains unclear what the full implications of the leaks might be, Recorded Future researcher Scott Donnelly told Mashable the purpose of the study was to highlight “how easy it is for somebody to just open the door and exploit a company because the information is sitting out there.”