Even cybersecurity companies spill data and passwords

The business of cybersecurity companies is to keep users safe from hackers and cyber attacks but almost all cybersecurity providers have themselves had data leaked or stolen and published on dark web forums.

Research by application security company  Immuniweb found that nearly all of the top cybersecurity companies have had corporate data exposed and shared on the cyber criminal underground – including login credentials like usernames and passwords.

Compromised servers, social engineering and password re-use are among the reasons for data spillages.

“The cases really vary across the victims, ranging from compromised servers that were apparently forgotten by the victims, to targeted attacks against employees leveraging social engineering and phishing. A considerable number of incidents stems from third parties where employees of the victims were using their professional email addresses to sign in,” Ilia Kolochenko, CEO of Immuniweb told ZDNet.

Researchers were able to uncover over 600,000 records containing plain text credentials or personal information.

And while the majority of passwords discovered in these breaches are described as strong, 29 percent would be considered weak, containing less than eight characters, no numbers, no special characters and no capital letters.

Common weak passwords like ‘password’ and ‘123456′ appear over 1,000 times each in the data analysed, while others like ‘password1’ ‘12345678’ and ‘qwerty’ appear hundreds of times.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

It seems that cybersecurity companies suffer from the same password problems that other organisations have to deal with – in that some systems might just be forgotten about or they have simple passwords for some accounts.

“Some of these accounts were probably not designed to gatekeep access to critical data, and were occasionally just used to login to different non-critical systems that were eventually compromised,” Kolochenko explained.

“One also needs to consider that not all employees of cybersecurity companies are security professionals – a number of employees have nothing to do with cybersecurity practice and have insufficient internal training. The bigger the company is, the more human risk it will inevitably have to address,” he added.

The findings serve as a reminder that cyber crime poses a risk to everyone and that organisations should ensure that they follow best practices when it comes to security.

This includes using complex passwords, not re-using them for other accounts and that businesses should remain aware of which third-party organisations have access to their data, because that in itself can create risk.

However, organisations – no matter what sector they operate in – can take steps to ensure they’re operating as securely as possible.

“No one is immune from surging cybercrime but we can effectively fix this by implementing informed, risk-based and threat-aware cybersecurity programs in a continuous and holistic manner,” Kolochenko said.