Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD
By Phil Muncaster 9/8/20
Nearly all cybersecurity companies have exposed sensitive data including PII and passwords online, according to a new study from ImmuniWeb. The security vendor selected 398 of the world’s top security vendors and then scoured surface, dark and deep web sites including hacking forums and marketplaces, WhatsApp groups, public code repositories, social networks and paste websites. It claimed to have discovered verified sensitive data over 631,000 times, with 17% of these “incidents” estimated to have critical risk. This means they included logins with plaintext passwords, or data leaks such as PII and financial records that are recent and/or unique. In total, the research revealed PII and corporate data accounted for half (50%) of all incidents, with credentials taking 30% and backups and dumps 15%. Also concerning is the fact that 29% of the discovered passwords were “weak” — i.e. they featured less than eight characters, with no uppercase, no numbers and no special characters. In 41% of companies studied, employees were found to have reused passwords on different breached systems, further exposing their organization to breach risks.