Exposed Corporate Credentials on the Open Web, a Real Security Risk

Last Friday, a New York Times article described how the recent online attack against JPMorgan was possibly connected to a data breach on a third-party website. The target mentioned in the article is Corporate Challenge, a company that organizes charitable races sponsored by JPMorgan.

The Corporate Challenge website was successfully hacked prior to the JPMorgan breach so some experts believe threat actors leveraged stolen credentials to attack JPMorgan’s banking system. Data from the investigation shows many bank employees registered for races on the Corporate Challenge website using their company email and password.

[The data] contained some of the combinations of passwords and email addresses used by race participants who had registered on the Corporate Challenge website, an online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor. The races are open to bank employees and employees of other corporations.

Coincidentally, last Wednesday, Recorded Future released a report identifying employee credential exposures for at least 221 of the Fortune 500 companies in 2014, opening the door for advanced persistent threats and well-tailored spear-phishing attacks. Recorded Future CEO Christopher Ahlberg was quoted by SC Magazine UK regarding this concern:

The data likely comes from third party sites — not from breaches of companies’ servers — where an employee used a corporate email to sign up for something. In the past few years, for example, hackers have breached websites and services like Adobe and Forbes.

As threat actors become more sophisticated, it’s important for organizations to properly educate employees on information security best practices. For example, employees should avoid using the same password on multiple websites. Just one compromised employee can leave the entire business network vulnerable to a cyber attack.

Take Action

Download our threat intelligence report, “The Fortune 500’s Unfortunate 221” to learn how Recorded Future used open source intelligence (OSINT) to discover leaked employee credentials on the open web. Also included are additional recommendations to improve your organization’s security on third-party websites.