Thirty percent of CEOs from the world’s largest organizations have had their company email address and password stolen from a breached service. Given the continuing tendency for users to employ simple passwords and reuse the same passwords across multiple accounts, the implication is that at least some of these CEOs are at risk of losing their email accounts to cyber criminals or foreign nation state hacking groups.
The statistic comes from a report (PDF) published today by F-Secure, whose researchers checked the email addresses of 200 CEOs from the world’s largest organizations against a database of leaked credentials. It notes that the 30% figure increases to 63% for tech companies.
Email accounts are highly valuable to cybercriminals, often containing sensitive information. A case in point is the hack and breach of Colin Powell’s Gmail account in 2016 and the public exposure of his candid thoughts during the presidential campaign. In one email, for example, he comments, “and [Hillary Clinton] once again looks shifty if not a liar.” Researchers have suggested that Powell’s account was breached because he may have used the same email password as he had for his Dropbox account — details of which were leaked just a few weeks previously.
Business email compromise (BEC) attacks also become very compelling if the finance director receives a transfer instruction that originates from the CEO’s genuine email account.
F-Secure found, unsurprisingly, that the top breached services to which CEOs linked their company email addresses were the professional networking site, LinkedIn, and Dropbox. Together they account for 71% of the CEOs.
But it’s not just email addresses and password hashes that are exposed in leaked breaches. Eighty-one percent of the CEOs, say the researchers, “have their emails and other details such as physical addresses, birthdates and phone numbers exposed in the form of spam lists and leaked marketing databases.” A mere 18% of CEO email addresses are not associated with any leak or hack.
The reality is that the CEO’s email account is a prized target for attackers, and CEOs need to take particular care over protecting them. One approach is to use a private account and personal phone number to disguise the company association — but F-Secure warns that there are drawbacks in terms of defense in the later stages of the kill chain.
“When using a private email, a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the company’s IT, communications, IPR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover them later,” comments F-Secure CISO, Erka Koivunen. “To an attacker, a CEO who uses private email to register for a service they use in an official capacity, spells a loner – someone who goes it alone and doesn’t bother to rely on his/her staff to provide protection.”
The bottom line is that CEOs and their companies need to take particular care in protecting their email account passwords. F-Secure’s advice is well-known good password practice. Use unique, long, illogical passwords that do not comprise words that could be found in hackers’ word lists. Use a password manager to generate them (but, “Be wary of cloud-based password managers that don’t require access to the device in order to log into them”). Avoid social logins (if you lose the social media account, all of the associated accounts are also lost). Always use multi-factor authentication where it is available (avoiding SMS passcodes if possible: “Offline authenticators or hardware-based tokens are always preferred”).
Key is the password itself. “Use fully random password strings that are as long as a particular service allows, typically 32 characters,” F-Secure Labs lead researcher Jarno Niemela told SecurityWeek. “Passwords like these are secure as long as the service provider is not storing passwords in plain text;” absent, he adds, the possibility of an intelligence agency with a really big budget which could, theoretically, find an MD5 collision.
Even this remote possibility could be limited, he says, if the service provider makes strong efforts to protect the passwords. “Password cracking,” that is, obtaining the plaintext password from a stolen hash, “can be pretty much eliminated by using forced computation, also known as key stretching. This means that the service uses PBKDF2, scrypt, bcrypt or some other scheme that iterates the password hash verification up to millions of times. It effectively makes password cracking millions of times slower — and even relatively simple passwords will become rather unfeasible, provided that they are not directly in some word list.”