Password reuse is rampant among Fortune 1000 employees
SpyCloud published an annual analysis of identity exposure among employees of Fortune 1000 companies in key sectors such as technology, finance, retail and telecommunications.
Drawing on a database of over 200 billion recaptured assets, researchers identified over 687 million exposed credentials and PII tied to Fortune 1000 employees, a 26% increase from last year’s analysis.
Analysis of this data showed a 64% password reuse rate, widespread use of easy-to-guess passwords, and a spike in malware-infected devices –– all sources of cyber risk for both employers and consumers who rely on businesses to safeguard their personal data. With remote work blurring the lines between work and personal device use, a larger attack surface compounds the risk of cyberattacks proliferating beyond compromised employee and consumer identities to penetrate corporate networks.
“In the last two years, most companies’ attack surfaces have expanded due to the new reality of a hybrid workforce,” said David Endler, Chief Product Officer of SpyCloud. “Combined with facing a barrage of threats from malicious actors and the state of global affairs, there’s an urgent need for Fortune 1000 companies to shore up all threat vectors, starting with identifying and remediating compromised employee credentials and malware-infected devices.”
Researchers identified credentials, PII and infected device data of 70,000 Fortune 1000 employees in recaptured botnet logs containing information siphoned using infostealer malware. An employee working from a malware-infected personal device creates risk for the enterprise, even with the use of complex passphrases and MFA. These high-severity exposures give criminals all the data they need to bypass authentication measures and impersonate employees, including passwords, system information, browser fingerprints, and web session cookies. Further, nearly 29 million malware-infected consumer devices were used to log into the consumer-facing sites of Fortune 1000 companies, exposing their credentials and PII to fraudsters.
“Malware infections on personal devices are the riskiest source of exposure because they are so difficult to detect and can drastically increase the attack surface for ransomware,” Endler said. “These attacks could not only lead to disastrous consequences for a company’s bottom line but could also significantly impact sectors such as critical infrastructure.”
Critical infrastructure and technology sectors lag behind
The report showed that critical infrastructure companies were the worst offenders for bad password hygiene. Across four industries – aerospace and defense, chemical, industrial, and energy – elementary password hygiene issues were found, including the use of company names in the top three to five most used passwords.
While critical infrastructure employees exhibited the poorest password hygiene, the technology sector had the most severe identity exposure, with over 26 million breach records representing 139 million employee assets (credentials, PII, cookies, etc) –– comprising 21% of all exposed Fortune 1000 records (followed by financial services with 21 million records and nearly 120 million assets).
Technology companies also had the largest number of malware-infected devices across sectors, with nearly 70% of all infected consumer devices identified among the Fortune 1000 (20.6 million) and about 50% of all infected employee devices (approximately 34,000).
To defend against account takeover, malware, ransomware and other malicious cyberattacks, Fortune 1000 companies cannot bet solely on their employees to keep them safe and rather should think of users as consumers whose behavior expands the attack surface multi-fold.
To minimize exposure and safeguard data, enterprises need to enforce strong enterprise password policy with SSO where possible, create clear company policies on the use of business and personal devices, enforce multi factor authentication on critical accounts and mandate the use of password managers, as well as leverage continuous, actionable intelligence into their users’ exposure – especially in industries entrusted with a vast amount of sensitive consumer data such as technology, ecommerce, financial services, and critical infrastructure.