In the face of password breaches, we are equal
A quick study of data breaches vs. decision-makers in 11 top market cap companies in Finland
I have been discussing how data breach information can be used to scam or attack people and companies (links below). So I got curious. Are decision-makers, C-levels, and executives involved in data breaches? And if they are involved, is the breached data easily available? Are they aware of it? I now know the answer to two out of my three questions.
I decided to survey the managers of the 11 most valuable companies in Finland and checked if I could easily find information about data breaches that they were involved in. I assumed that attackers don’t discriminate, and they may go after anyone they can get. Of course, some targets may be more lucrative than others.
Are decision-makers involved?
Yes. Here is how I figured it out.
1 — Find the names
Most of the companies keep on their website a list of their executives with a brief description of each one. Usually under the “Investors” tab.
2 — Get their public profiles from LinkedIn
I looked up for every name on LinkedIn (virtually all executives have an online profile). The idea here is to match each name to a public profile ID, out of the companies webpage. I will explain why soon.
3 — Find email addresses
There are commercial services to purchase employee contact information. For example, Alma Media sells decision-maker contact info such as email and phone numbers. I used a service called RocketReach that lists present and past emails, including personal ones. Using this tool, I can search for someone using their LinkedIn profile, helping me to find the exact person.
4 — Check data breaches
After gathering the emails, I need to check if they were involved in public data breaches including leaked passwords. Past and personal emails are important information even if the individual doesn’t use them anymore. Many people can move to new emails and usernames but keep the same password. I checked their emails on haveibeenpwned.com, which is a repository that lists emails found in data breaches.
Results
After having all the names matched with the correspondent LinkedIn profiles, I listed every email that had its password exposed in a data breach. All the 11 companies had executives exposed to those incidents; on average, each organization had 10 leading executives when counting in C-levels, presidents, and vice-presidents. The breaches affected at least 20% of the executives of each company, creeping up to 80% in some cases. On average, 65% of the executives of all surveyed companies were exposed in data breaches involving password leak.
Is the breached data easily available?
Haveibeenpwned.com is an excellent and reputable service, and I have no reason to doubt its results. But some things you need to witness with your own eyes before you feel comfortable talking about them. So I decided to get a sample set. Off to the dark and deep webs, right? Wrong. I was stunned to realize how easy it is to get a password dump of one billion accounts and passwords. All I needed to know was to search the web and download a torrent file. Emails and passwords were found in plain text.
How data breach information can be used to scam or attack people and companies
Email scam example — video
My Sports Tracker Password Is Not Just My Private Business — article
How one breach can haunt individuals and companies for years — article
3 steps to engage employees in cyber hygiene — article
Are they aware of it?
The first thing to do is to warn the victims. I am contacting the people involved to make sure they are aware of the issue. I am still waiting for feedback to help me understand if they already knew the problems and how did they find out the leaks in the first place. After the victim notification, I will delete the names and emails from my survey. For the study, it will be enough to keep the statistics and collect the feedback. Good information hygiene helps to be part of the solution rather than part of the problem.
