Cybersecurity Companies Expose Sensitive Data Online
Nearly all cybersecurity companies have exposed sensitive data including PII and passwords online, according to a new study from ImmuniWeb.
The security vendor selected 398 of the world’s top security vendors and then scoured surface, dark and deep web sites including hacking forums and marketplaces, WhatsApp groups, public code repositories, social networks and paste websites.
It claimed to have discovered verified sensitive data over 631,000 times, with 17% of these “incidents” estimated to have critical risk. This means they included logins with plaintext passwords, or data leaks such as PII and financial records that are recent and/or unique.
In total, the research revealed PII and corporate data accounted for half (50%) of all incidents, with credentials taking 30% and backups and dumps 15%.
Also concerning is the fact that 29% of the discovered passwords were “weak” — i.e. they featured less than eight characters, with no uppercase, no numbers and no special characters. In 41% of companies studied, employees were found to have reused passwords on different breached systems, further exposing their organization to breach risks.
The report also revealed that over 5100 stolen credentials came from breaches of adult content sites, meaning employees had registered on such sites with their work emails.
In total, 97% of cybersecurity firms studied in the report were found to have sensitive data exposed online, although some date back as far as 2012, and the majority of incidents were classed as low (25%) or medium (49%) risk.
Low risk refers to “mentions of an organization, its IT assets or employees in data leaks, samples or dumps without accompanying sensitive or confidential information,” while medium risk could include encrypted passwords or leaks of “moderately” sensitive data such as source code or internal docs.
ImmuniWeb CEO Ilia Kolochenko warned that third parties like security vendors are an increasingly popular target for attackers.
“In 2020, one need not spend on costly zero-days but rather find several unprotected third parties with privileged access to the ‘Crown Jewels’ and swiftly crack the weakest link,” he added.