221 of the Fortune 500 companies' employees' identifications have been posted online, according to Recorded Future, a web intelligence firm.
Fortune 500 companies spend considerable time and money on securing their networks, but this could be futile if an employee uses their id to sign up, or sign in to forums. Their details could end up on text repositories like Pastebin, which houses username and password dumps. Researchers at Recorded Future found around 600,000 websites for credentials posted between January 1st and October 8th 2014, and at least one username and password combination was found at 220 of the Fortune 500 companies.
Having an employee's details isn't always enough to hack into a company, as hackers need to know where they are used. Recorded Future found that the webmail login pages of some companies are searchable on Google, making those companies even more susceptible to cyber-attacks if an employee's details are compromised.
The report doesn't name companies or individuals, and Recorded Future has not notified any of the companies yet, according to Recorded Future CEO and cofounder, Christopher Ahlberg, and senior analyst Scott Donnelly. The goal of their research is to show that big companies aren't immune to password leaks. Evidence of this includes seven million Dropbox usernames and credentials dumped just weeks ago.
The issue with these dumps is the risk of password reuse. If the same password is reused, a hacker doesn't need to breach Google to obtain your Gmail password; instead, it can be found on online forums. This is why Facebook recently announced that it has been actively scouring sites that host dumped credentials to notify users if their password had been compromised.
“These credential dumps are outside the companies' control. The data likely comes from third party sites — not from breaches of companies' servers — where an employee used a corporate email to sign up for something. In the past few years, for example, hackers have breached websites and services like Adobe and Forbes” said Ahlberg.
"We have a pretty good coverage of the underbelly of the web, but these are just the public posts. We're highlighting how easy it is for somebody to just open the door and exploit a company because the information is sitting out there. But most certainly, there's information that's yet to be published" said Donnelly.