Cybercriminals use automated tools to find and exploit weak and reused employee credentials and break into corporate accounts and networks.
- In 2019, almost a third of ransomware infections were the result of weak passwords. According to Security Boulevard, this is still a problem.
- 48% of breaches in 2021 were linked to the use of stolen credentials.
- There’s been a 35% increase in breaches that involve usernames and passwords in 2021.
Most employees’ passwords are easy to guess or brute force through automated credential-stuffing processes. This is because they tend to include or derive from personal information that can be scraped from public sources (like social media) or data brokers. High percentages of people around the world are still using pet names, family members’ names, or birthdays in password construction.
In many cases, basic multi-factor authentication (MFA) processes are of little help—employee personal information can also be used in scams to bypass text-based MFA.
Most Employees Use Easily Findable Personal Information As Their Passwords
According to a security.org study, a shocking number of people use personal information in their passwords:
- 21% use their birth year
- 18% use their pet’s name
- 18% use their age
- 15% use their first name
- 14% use their child’s name
- 12% use their partner’s name
- 12% use their parent’s name
- 11% use their last name
- 11% use their friend’s name
- 9% use a street name
- 7% use graduation year
*because multiple responses were allowed, the total exceeds 100%.
Among business executives, names in passwords are especially popular, as per a NordPass 2022 survey.
Hackers looking for a way into corporate accounts and networks can use automated OSINT tools like web scraper bots to gather employee personal information on social media profiles and/or data broker databases.
Data brokers are companies that collect information about individuals from a variety of sources (including social media), compile this data into profiles, and sell these profiles to anyone who wants them. Ransomware groups use these databases to collect information on potential targets.
Our own research shows that the level of data available about individuals on data broker sites is growing. Whereas in the past, data brokers sold mainly “directory style” data points (i.e., name, address, phone number), they now also frequently include personal details about relations, spouses, past residences, employment, and other contextual information.
This information allows cybercriminals to carry out brute-force attacks more successfully.
In a study from a few years ago, titled “Targeted Online Password Guessing: An Underestimated Threat,” researchers warned that:
“Targeted password guessing is a much underestimated threat […] a large number of passwords can be guessed if personal information is known to the attacker – especially if they know passwords from other accounts owned by the potential victim.”
A recent Google study proves that guessing passwords is easier than it seems. In it, 27% of people admitted to trying to guess someone’s passwords. 17% were successful in doing so.
Even if a hacker can’t guess an employee’s password, they can use the personal information they found during OSINT to trick them into handing it over. The Twilio breach that happened in August 2022 and impacted more than 160 of its customer organizations illustrates this perfectly.
The attack saw hackers sending text messages to workers’ phone numbers claiming to be Twilio’s IT department. The texts said the employees’ passwords had expired and urged them to log into a provided link. The link brought the employees to a page that looked like a Twilio login page but was controlled by the threat actor.
Security Questions and Answers Are Also a Risk
Security questions are sometimes used to authenticate users or recover account access in case of a forgotten password.
However, because most security questions ask things like “what’s your mother’s maiden name?” or “in what city were you born?”, they are not secure. Cybercriminals can find this information with a simple Google search.
For instance, Google’s research team discovered that close to a third of Texas residents’ mothers’ maiden names are guessable from marriage and birth records (data that also appears on data broker profiles).
The famous Sarah Palin email hack, which involved a cybercriminal breaking into former Republican vice presidential nominee Sarah Palin’s email account, was possible by guessing Palin’s security questions. The hacker reset Palin’s password by figuring out her birth date, ZIP code, and where she met her spouse.
On the anonymous forum 4chan, the hacker said:
“after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshots that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…”
Similarly, when threat actors broke into the iCloud accounts of a number of Hollywood actresses and leaked their private photos, Apple described the incident as “a very targeted attack on user names, passwords and security questions.”
MFA Is Not Foolproof Against Automated OSINT
Security pros like to say that MFA can stop 99% of attacks. But this is not true, says Roger Grimes in a recent LinkedIn post.
Apparently, the % figure comes from limited Google and Microsoft proof-of-concept projects. In fact, Roger points out that hackers can bypass 90% to 95% of MFA with a simple phishing campaign.
For example, in the September 2022 Uber breach, a hacker pretending to be IT support convinced a contractor to accept an MFA push notification:
“I was spamming an employee with push auth for over a hour. I then contacted him on WhatsApp and claimed to be from Uber IT, told him if he wants it to stop he must accept it.”
While it’s unknown where the attacker got the contractor’s phone number, data brokers are a common source of this kind of information.
If a threat actor knows their target’s phone number and other personal information, they can also carry out a SIM swap attack.
Here, criminals impersonate their target to a cellular provider. They pretend their SIM card was lost/damaged and request their phone number and account to be transferred to a new card, which allows them to intercept text message MFA.
Recently, there have also been reports of scammers bypassing Microsoft Office 365 MFA using an adversary-in-the-middle (AitM) phishing attack. Going exclusively after business executives, threat actors send them targeted phishing emails that look like they come from the electronic signature tool DocuSign.
A link within the email brings the executives to a fake Microsoft 365 login page. If they log in, they unknowingly supply the attacker with their credentials. The cybercriminals also use proxy servers that sit in the middle of a phishing page and the real login form and allow them to bypass MFA.
Five Tips for OSINT Protection
Enforce complex password policies. No employee should be using default passwords, nor common passwords like qwerty or passwords that include personal information to protect their accounts. Instead, passwords need to be unique and strong—something a password manager can help with. About 7 in 10 employees say they think their workplace should provide a password manager, but less than a third of Americans are currently required to use a password manager at work.
Don’t use security questions. Employees’ digital footprints can give hackers enough information to answer their security questions.
Enable strong multi-factor authentication. Hardware-based security keys like the YubiKey can prevent attacks that SMS-based MFA can’t. For example, the same attackers that went after Twilio also targeted Cloudflare. Three Cloudflare employees fell for the phishing scam. But because Cloudflare employees have FIDO2-compliant security keys for MFA, the attack was thwarted.
Phishing awareness training. Employees should receive regular phishing awareness training, highlighting common and recent scams.
Remove employee personal information from the web. Whether they’re looking for employee contact details, personal information to guess passwords, or data to personalize phishing campaigns, data brokers are a great source of information. To reduce the risk from this threat vector, it is crucial that companies remove employees’ profiles from data broker databases. Employees should also be taught the importance of not oversharing on social media, forums, and other places on the internet.