You are probably familiar with how cybercriminals use phishing and other types of attacks to obtain employees’ passwords, as this is often discussed in the media. But do you know what happens after a hacker steals an employee’s password? To answer this question, researchers at the security firm Bitglass conducted an eye-opening experiment.

The Experiment

The researchers built a functional web portal for a fictitious retail bank and a digital identity for an employee who supposedly worked there. Anyone who goes online has a digital identity — a collection of data attributes (e.g., birthdate, gender, search history, passwords, posts, purchases) that is linked to an email address, URL, or domain name.

The bank employee’s digital identity was similar to that of a typical Internet user. For instance, the person had social media, Google Apps, personal banking, and other online accounts. And, like many Internet users, the employee reused account passwords as well as blurred the line between professional and private life by using the same accounts for both work and pleasure.

The researchers filled the employee’s Google Drive with files containing company and personal data. For example, the documents included information about the retail bank’s customers and real credit card numbers. There was even an encrypted file. Each file in Google Drive was embedded with a watermark so that the researchers could track what hackers did with it. Plus, the researchers monitored all Google Drive activities, including logins and downloads.

The Results

Hackers did not waste any time once the research team posted the employee’s supposedly phished Google Apps information on the Dark Web. Within 24 hours, cybercriminals began using the credentials to log in to Google Drive and the bank web portal. Within 48 hours, they started downloading files from Google Drive. Some hackers only downloaded the files with sensitive content (e.g., credit card data, bank customer information), while others downloaded all of them. Several cybercriminals even cracked and viewed the encrypted file.

In all, around 1,400 hackers viewed the Google Apps credentials posted on the Dark Web and visited the fictitious bank’s web portal. Ten percent of them then attempted to log in to the portal.

In addition, 10 percent of the 1,400 cybercriminals signed in to Google Drive using the login information. Almost 95 percent of these Google Drive hackers discovered the employee’s other online accounts and attempted to log in to them using the Google Apps username and password. More than 35 percent succeeded in accessing the employee’s personal banking account.

How to Protect Your Business’s Online Accounts

As these finding show, stolen passwords are quickly exploited by numerous cybercriminals, who try them on a variety of websites. For this reason, it is important that you and your employees:

  • Avoid reusing passwords. A unique, strong password should be used for each online account. That way, if hackers obtain one account password, they won’t be able to use it to access other accounts.
  • Use two-step verification when available. With two-step verification, you need to provide an additional piece of information (e.g., a security code) to log in. Google, Microsoft, and many other cloud service providers now provide this functionality.

For more recommendations on how to protect your business’s online accounts as well as its data, contact us.