30% of CEOs have had their credentials leaked

Username and password re-use potentially puts corporate information at risk - study

stressed man

Almost one in three CEOs have had their usernames and passwords leaked as part of a data breach, new figures have shown.

Infosec company F-Secure analysed the known email addresses of more than 200 CEOs from top businesses across ten countries, comparing these details to leaked spam lists and account databases distributed by hackers.

It found that 30% of CEOs had their password leaked when a service they had signed up for with their corporate account fell victim to a breach.

The biggest cause of this was professional networking service LinkedIn, which was linked to 53% of the leaked accounts F-Secure analysed. Hackers infiltrated the service back in 2012, then last year released the account details of 117 million people.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Next on the list was Dropbox, which 18% of CEOs had signed up to. F-Secure did, however, point out the caveat that someone else could have used a CEO's email address to attempt to sign up for a service.

The issue of password re-use - where people use the same login details for multiple services - means that CEOs may need to change the passwords for other services than those their email addresses were leaked by.

For instance, hackers could try CEOs' credentials leaked in the LinkedIn and Dropbox breaches to attempt to gain access to sensitive corporate information through credential re-use attacks.

"This study once again underscores the importance of proper password hygiene," said F-Secure CISO Erka Koivunen. "The CEO's credentials may have leaked even when they have done nothing wrong.

"We can assume that many of the services we've created an account in have already been compromised and the old passwords are out there on the internet, just waiting for targeted, motivated attackers to try them against other services."

In addition to this, more than 80% of CEOs were found to have had personal information - including email addresses, physical addresses, phone numbers and dates of birth - exposed via leaked marketing databases and spam lists.

Advertisement - Article continues below

In fact, less than one in five CEOs had no leaks whatsoever associated with their email address.

On the other hand, Koivunen also pointed out that signing up to services with a privately-controlled email account may not necessarily be any more secure.

"When using a private email, a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the company's IT, communications, IPR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover them later," he said.

"To an attacker, a CEO who uses private email to register for a service they use in an official capacity spells a loner - someone who goes it alone and doesn't bother to rely on his/her staff to provide protection."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020