Your Coalition Cyber Risk Assessment includes a section called “Exposed Employee Information.” As part of our scan, we search through multiple public and private databases on the dark web for leaked sensitive information that might belong to you or your organization. There are two basic types of sensitive information:
-
Usernames and Passwords (Compromised Credentials)
-
Personally Identifying Information (PII)
It is important to know that the employee information Coalition finds was not stolen directly from your website or services. This information was released publicly as part of data breaches that have occurred on 3rd party sites where employees have created accounts with their company email (i.e. LinkedIn, Adobe, Yahoo).
The risk assessment will tell you when an employee's sensitive information was last leaked on the web ("Last Exposed"), and where that data came from ("3rd Party Breach").
The unfortunate truth is that employee passwords and PII are already publicly available, and once exposed cannot be removed from the web. Roughly 80% of all cyber incidents start with hackers making use of stolen personal information. This is why Coalition strongly urges all companies to implement Two-Factor Authentication for both company email accounts and sensitive internal services.
Exposed Usernames & Passwords
While all of the exposed employee information Coalition detects is from 3rd party website breaches, employees often re-use the same password for multiple accounts. Hackers will often take advantage of this behavior to do "credential stuffing" attacks - attacks where they try to use the employee's publicly exposed password on their company email or sensitive internal services.
Exposed Personally Identifying Information (PII)
PII is any information that can be used as a way to identify an individual - this includes home addresses, Social Security numbers, personal health information (PHI), credit card numbers, and more.
Attackers will often use PII data collected in other breaches in phishing campaigns, in order to make their fake emails seem more legitimate. It is important to understand what information is publicly released about you and your workforce, so employees can be better prepared in the case of a phishing attempt.
Why do I see fake or inactive email addresses?
Our scan performs broad search based on your company's domain, and reports on any information it finds. There are a couple of reasons that you might see email addresses that are either fake or that are no longer active.
-
Often, hackers and spammers will try to generate possible email addresses in order to find a real, active email address to use as part of an attack. For instance, for John Doe, they may try john.doe, jdoe, johnd, etc.
-
Hackers and spammers keep these generated email addresses in their lists, even if they don't work for them.
-
These addresses then end up getting leaked/shared to the dark web for other hackers to try.
Since our scan is light-touch and non-penetrative, we cannot validate that the email addresses that we find are real or active. In the interest of full disclosure, and out of an abundance of caution, our report shows the full set of information we find, which is why will see them in your Cyber Risk Assessment.
Ongoing Monitoring
Coalition’s risk assessment for exposed employee information does not stop with the risk assessment report. We continually search for compromised credentials and data across all our resources on behalf of our insureds, and alert you when new information is found. This is an automatically included benefit with every Coalition policy.
For more information on this topic, please reach out to us; we’re here to help!