Exposed Corporate Credentials on the Open Web, a Real Security Risk

November 3, 2014 • Greg Barrette

Last Friday, a New York Times article described how the recent online attack against JPMorgan was possibly connected to a data breach on a third-party website. The target mentioned in the article is Corporate Challenge, a company that organizes charitable races sponsored by JPMorgan.

The Corporate Challenge website was successfully hacked prior to the JPMorgan breach so some experts believe threat actors leveraged stolen credentials to attack JPMorgan’s banking system. Data from the investigation shows many bank employees registered for races on the Corporate Challenge website using their company email and password.

[The data] contained some of the combinations of passwords and email addresses used by race participants who had registered on the Corporate Challenge website, an online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor. The races are open to bank employees and employees of other corporations.

Coincidentally, last Wednesday, Recorded Future released a report identifying employee credential exposures for at least 221 of the Fortune 500 companies in 2014, opening the door for advanced persistent threats and well-tailored spear-phishing attacks. Recorded Future CEO Christopher Ahlberg was quoted by SC Magazine UK regarding this concern:

The data likely comes from third party sites — not from breaches of companies’ servers — where an employee used a corporate email to sign up for something. In the past few years, for example, hackers have breached websites and services like Adobe and Forbes.

As threat actors become more sophisticated, it’s important for organizations to properly educate employees on information security best practices. For example, employees should avoid using the same password on multiple websites. Just one compromised employee can leave the entire business network vulnerable to a cyber attack.

Take Action

Download our threat intelligence report, “The Fortune 500’s Unfortunate 221” to learn how Recorded Future used open source intelligence (OSINT) to discover leaked employee credentials on the open web. Also included are additional recommendations to improve your organization’s security on third-party websites.

New call-to-action

Related Posts

Prioritize Vulnerabilities With Unprecedented Intelligence for Free

Prioritize Vulnerabilities With Unprecedented Intelligence for Free

May 20, 2020 • The Recorded Future Team

How do you describe vulnerability management in your organization If terms like “rat race” or...

Rise in Retail-Focused Phishing Campaigns During Pandemic

Rise in Retail-Focused Phishing Campaigns During Pandemic

May 19, 2020 • Allan Liska

As people around the world have had to stay home because of the COVID-19 pandemic, there has been a...

Automating Threat Detection and Response With Security Intelligence

Automating Threat Detection and Response With Security Intelligence

May 14, 2020 • The Recorded Future Team

Automating threat detection and response has historically been a very expensive and time-consuming...