Forty-four percent of Fortune 500 companies have had their employees’ stolen email addresses and passwords exposed in Internet forums used by hackers this year, giving criminals potential entrée to customer data and critical U.S. infrastructure, according to a new report.
The data firm Recorded Future scoured Internet forums and “paste sites” – web applications typically used to share computer code -- from Jan. 1 through Oct. 8 to uncover the vulnerability involving employee “credentials” – the combination of an email address and password. Recorded Future found that 221 of the nation’s top companies had employee credentials exposed, including 51 percent of the leading financial firms, 62 percent of technology firms and 49 percent of public utilities.
“The presence of these credentials on the open web leaves these Fortune 500 companies vulnerable to corporate espionage, socially engineered cyberattacks and tailored spear-phishing attacks,” the report said. The employees also put themselves at risk on any services with which they may have used the same email and password combination, such as online banking.
The exposure of public utilities’ security practices were particularly concerning, because hackers could conceivably gain control of parts of the electrical grid or dams. Recorded Future research highlighted “multiple public utilities with webmail logon pages easily discovered with Google searches.”
Most of the exposures occurred through third-party websites. Employees often registered on the sites using their work email accounts to engage in seemingly innocuous activities such as posting commentary on blogs, reviewing hotels or restaurants or participating on hobbyist websites, it said.
Many of these smaller sites lack sophisticated security and are susceptible to hackers, said Scott Donnelly, who conducted the analysis for Recorded Future. While most such sites encrypt or “hash” passwords to avoid revealing them in plain text, such protections are often easily overwhelmed using modern hacking tools that are “open-source and readily available,” he said.
“At that point it becomes a coin flip … whether or not that‘s a valid log-on for that company account as well,” Donnelly told NBC News, referring to numerous studies showing that computer users frequently reuse passwords so they can remember them.
Compounding the problem is the fact that security breaches on smaller sites are rarely reported to authorities, meaning that the employees and corporate IT managers are often unaware that the information has been exposed, said Christopher Ahlberg, Recorded Future’s founder and CEO.
“You’re not going to see a CNET.com story if it’s a neighborhood 5k run that gets hacked,” he said.
The report did not attempt to quantify how often stolen credentials were used to launch cyberattacks against the Fortune 500 companies. But it cited a recent claim by hackers who said they stole 7 million user names and passwords from the popular cloud storage service Dropbox as following the credential-theft model. “Attackers … used these stolen credentials to try to log into sites across the Internet, including Dropbox,” it said.
Dropbox has denied it was the source of the data breach, blaming unidentified third-party services.
It is unclear what role – if any – credential theft from employees may have played in recent high-profile corporate hacks in which the cyberattackers absconded with customer data. But Donnelly, the report’s author, said the hack of Target – itself a Fortune 500 company – was similar in that the theft began with the theft of network credentials from a subcontractor, a heating and air conditioning supplier, according to security blogger Brian Krebs.
The report said so-called paste sites that allow users to store and share plain text, “have become a dumping ground for stolen credentials.” Donnelly said such information is often removed quickly by site administrators, but that even brief exposure can give hackers an opportunity to copy it, he said.
Follow NBC News Investigations on Twitter and Facebook.
It also said that employers can cut their security risks by developing clear policies on employee use of company credentials on external sites, enabling multi-factor authentication and other steps.
Another report released this week by Kaspersky Lab indicates that corporate cyberattacks continue to rise, saying that 94 percent of companies worldwide detected attempts to steal data in the past year, a 3 percent increase over last year.
