Optistar uses cookies to make our website work properly and to provide the most relevant content and services to our clients and site visitors.

Articles

How Much Can a Stolen Password Really Harm My Business?

April 27, 2021

Use strong passwords. Keep your systems updated. Install the best-ranked antivirus and anti-malware solutions. Set up a powerful firewall with sophisticated rules. And whatever you do, never open something you don’t trust—whether that’s an email, a link, or an unknown file.

Those are just a handful of the countless rules businesses must follow today to stand a chance at keeping their private data, well, private.

Unfortunately, with all the balls a modern business team must juggle just to keep the lights on, it’s all too easy to ignore cybersecurity guidelines.

Many businesses, especially small to medium companies, are guilty of this mistake. The thinking often goes like, “So what if someone hacks our social media or email? It’s not like we’ve got some top-secret files on there”.

So if you too are wondering how much a stolen password could possibly harm your business, let’s do a deep dive below.

Compromised passwords are like a coin with two sides. The obvious side is that your data on a particular platform, such as messages on LinkedIn or bookmarks on Twitter, will get compromised. But unlike a coin, a leaked password’s other side is far bigger and has far-reaching ramifications.

The Hidden Side of a Stolen Password

Compromised passwords are like a coin with two sides. The obvious side is that your data on a particular platform, such as messages on LinkedIn or bookmarks on Twitter, will get compromised. But unlike a coin, a leaked password’s other side is far bigger and has far-reaching ramifications.

The best way to understand that is with an example. Imagine the LinkedIn account of a CMO gets hacked. The first thing any experienced attacker will do is to check that same password on other popular websites.

Unfortunately, our CMO in question made the classic mistake of using the same password on her email. This gives the attackers access to a host of accounts, as it’s possible to recover passwords on most websites using the recovery email. The executive in question will never even notice the attack because the hacker will remove all signs of activities as they happen.

Some common compromises include messages, photos, location history, calendar records, and so on. All it takes is a single Google synced account to get access to all that data.

But that’s just the beginning. A little bit of creativity and luck can open up the following opportunities:

  • Using the email of our imaginary CMO to spread trojans throughout the organization. A link to a fake duplicate website or a blurred image that’s infected with a trojan is all it takes to make this happen. And the colleagues of the CMO and even the company clients are going to open those links because they trust the sender.
  • The attacker could also email a business manager to send payment to a contractor or a software vendor. Little will the unsuspecting manager know that the address belongs to the attacker. We’ve seen businesses lose tens of millions of dollars to this tactic where the attacker pitched an investment from the account of an executive.
  • Ransomware attacks are soaring, and nothing makes it easier when the infected file comes from someone you trust. The attacker can do this through a LinkedIn message easily, let alone use the business email of the CMO.
  • The attacker could scan past conversations for any critical system credentials, extract them by spreading infected files, or just request them by emailing someone within the organization. As soon as they have access to systems like web servers or databases or the CRM portal, they can wreak all sorts of havoc on the organization.

Again, those are just a handful of the endless list of scenarios. So where our imaginary CMO may not have cared much for a rarely used LinkedIn account, the stolen password had much harder hitting consequences.

In short, a stolen password can harm your business in more ways than you might even know. But the good news is, there is a secret layer of protection that can keep the inevitable password leaks from hurting your business.

Dark Web, Darker Marketplaces, and a Pain-Free Solution

Most hackers are in it for a quick win. They find an unpatched vulnerability, launch a bulk attack, extract a bunch of data, and put it all on sale on the Dark Web.

The Dark Web is the unfiltered, unregulated, and normally unreachable part of the internet. The name makes sense because you can’t search the dark web on Google or any other search engine. You can’t even open it with a normal web browser. You can learn more about how it works in our two-part blog series on the Dark Web.

While the Dark Web attracts a fair number of privacy-obsessed geeks and otherwise curious minds, it’s also home to a darker set of marketplaces that cater to all sorts of criminal needs. From fake passports and currencies to arms and narcotics, everything is fair game on there.

Unfortunately, this is also where the actual damage from stolen passwords happens. Those looking for a quick payday sell their data exploits on Dark Web marketplaces. For as little as a few dollars per thousand passwords, critical information falls into the hands of bad actors willing to plow through the list and launch sophisticated attacks with each credential—like those we discussed earlier.

Luckily, the Dark Web monitoring service we use for our clients can neutralize those threats before they can do any real damage.

Here’s how it works. We start by gathering a list of email addresses associated with your organization. Then, our machine-powered analysis system assisted by our human experts crosschecks your accounts against the credentials for sale on the Dark Web.

We do this 24/7/365, so as soon as our system finds a match, we notify you and discuss how to jumpstart the neutralization process. Then, we ensure steps are taken immediately that include changing passwords, tightening security protocols, assessing your network to determine the cause of the leak, and much more.

In addition to monitoring, we recommend training your staff to ensure they no the threats that exist and how to handle them. By ensuring your first line of defense is aware and kept up-to-date on cyber threats and having the Dark Web monitored for company credentials, you are being proactive and protecting not only your business, but your data and your clients.

Remember – it’s not “if” a breach happens, it’s “when”, so you’ve got to be proactive.

Contact us today with any questions or concerns you may have or visit www.optistartech.com to learn more about the services we provide.

Don’t forget to check out our other articles here to learn more about cybersecurity and how to stay one step ahead!

Back to Insights
Sign up for More Insights