In todays interconnected world, it is hard to keep our personal information secure. Almost every website entices us with exclusive offers if only we provide them with our email address, name or phone number making it easy for bad actors to imitate those popups and harvesting the data of unsuspecting or distracted users. Phishing and smishing emails and messages claim many victims daily. However, while a set of login credentials stolen from a personal account can cause a big inconvenience for an individual in the form of identity theft and financial loss, the same set of credentials taken from an employee’s company account can cause much larger-scale disruptions and financial losses to the company and its customers, as well as putting other employees and customers at risk. In this case, a simple password change might not cut it.
How do hackers access employee credentials?
The most common way to gain access to employee credentials is through phishing. Phishing attacks on corporate entities work in much the same way as attacks on “civilians” – a series of emails are sent out to trick workers into handing over their login details through a fake login page or a popup form. These emails will often imitate internal company emails, or emails sent from companies providing services, and offers or discounts, to corporate entities. While the emails will likely be sent out to most users within the company, just one employee’s temporary loss of vigilance is enough to take the whole corporation down.
Another popular method of accessing employee login details is credential stuffing. Bad actors use automated tools to check username or email and password datasets obtained from already-existing data breaches to attempt to gain access to other services. As many people tend to reuse their passwords (known as password recycling), this type of cyber attack has a decent success rate.
What are the risks?
Gaining entry into corporate systems via stolen employee credentials is often just step one in the potential large-scale cyberattack. In the best case scenario, a single hacker will snoop around, maybe steal a couple of files and swiftly flog them on the dark web before the breach is detected and stopped. Unfortunately, more often than not, the worst happens.
Bad actors often use this opportunity to spread other malware, such as ransomware, to gain access to internal company information. Sometimes, they encrypt the data and offer a decryption key in return for a monetary ransom. In other cases, the data is stolen as well as encrypted thus giving the victim “extra motivation” to pay the ransom as, in case of a lack of cooperation, stolen files are sold or given away for free on the dark web.
One of the biggest ransomware attacks in recent history, the attack on Colonial Pipeline, in May 2021, is claimed to be a result of a stolen employee password. Colonial Pipeline, the owner of a pipeline system carrying fuel from Texas to the Southeast in the US, suffered a ransomware attack on the computer systems that managed the pipeline causing massive disruptions in operations that the company struggled to restore for days and significant financial losses. The ransom payment alone cost an impressive $4.4 million in bitcoin, of which only $2.3 million was successfully seized by the U.S. Department of Justice.
More recently, in February 2024, Change Healthcare's network was breached by the BlackCat ransomware reusing remote access service credentials previously stolen by information-stealing malware. The attack resulted in major disruptions to day-to-day services, including pharmacy outages that made it impossible for them to fill patients' prescriptions using their insurance. It is unknown how many people had to pay full price for their medication or, due to financial difficulties, were unable to access it at all. In addition, the attack compromised sensitive information belonging to millions of customers thus putting them at risk of cyber fraud and identity theft.
Due to financial difficulties following the Change Healthcare attack, the company also took a hit to their reputation. Reportedly, due to large amount of money needed to fix the aftermath of extensive disruptions, many medical practices will be forced to close down. This can start a domino effect as there will be more pressure on healthcare practitioners who remain open. Longer queues can result in poorer health and higher prices. When newly-qualified medical professionals consider job opportunities, Change Healthcare no longer looks like a good prospect. If not rectified in time, there is a high chance of the company closing down entirely. All because of one compromised set of credentials.
What can be done?
- Password strength – enforcing a policy requiring complex passwords with a mix of uppercase and lowercase letters, numbers and special characters. Strong passwords are harder for bad actors or programs to guess.
- Password change frequency – require staff to change their passwords regularly as this lowers the exposure risk and keeps the company safe from various IT security threats.
- No password reuse – choosing a unique password every time a password is changed provides security against any potential credential stuffing attacks where bad actors use automated tools to enter previously stolen usernames and passwords into login pages of targeted websites and applications, with the aim of gaining access to user accounts.
- Multi-factor authentication (MFA) – adding two or more verification factors to access password-protected services provides an additional layer of protection.
- Access controls – limiting access to internal data based on the employee job role may restrict the data bad actors gain access to should credential theft happen.
- Up-to-date software – regularly updating your software and operating systems with the latest security patches is essential to close any potential security gaps.
- Backup data - regularly backing up your sensitive data to a secure off-site location prevents data loss in case of breaches.
- Dark web monitoring services – dark web monitoring services continuously scan the dark web for any mention of your business thus helping you detect potential breaches early on.
- Awareness and training – although it may seem self-explanatory, a short training session can help highlight the importance of employee work account security as well as assist with understanding what signs to look out for when it comes to internal correspondence.
Conclusion
In an era where digital security is paramount, the threat of cyberattacks due to employee credential theft cannot be overstated. These breaches can lead to significant financial losses, operational disruptions, and severe reputational damage. Companies must recognise the importance of up-to-date software as well as implementing serious security measures and providing appropriate training to protect their businesses. Additionally, it is vital to understand that cyber threats continue to evolve so staying vigilant and adapting to new security challenges is an essential step to maintaining a secure and resilient organizational environment.