Nearly one in three major CEOs has been pwned using their company email address, according to a new F-Secure study. In other words, a service they access using their company email has been hacked and the password they use for that service has leaked. Without proper password practices, this potentially increases their susceptibility to targeted attacks.
F-Secure researched known company email addresses used by top executives from more than 200 of the biggest companies in ten countries. Researchers compared those addresses with F-Secure’s database of credentials leaked from breaches of online services. Among other findings:
“This study once again underscores the importance of proper password hygiene,” said Erka Koivunen, Chief Information Security Officer at F-Secure. “The CEO’s credentials may have leaked even when they have done nothing wrong. We can assume that a many of the services we’ve created an account in have already been compromised and the old passwords are out there on the Internet, just waiting for targeted, motivated attackers to try them against other services.”
By using poor password habits, a top executive is putting their own accounts at risk – but not only that, company data as well. According to the 2016 Verizon Data Breach Investigations Report, 63% of confirmed data breaches involved weak, default, or stolen passwords. A breach caused by unauthorized use of a CEO’s credentials would be difficult to spot for most companies, who are ill-prepared to handle breaches, according to data from F-Secure risk management assessments.
Using a unique, strong password for each online account is fundamental to keeping hackers at bay – and experts recommend using a password manager to make it seamless and easy.