Until the names and accounts of higher-ups are dragged into the mainstream, data breaches are neither new nor spectacular. For instance, a recent incident of Twitter hacking targeting very high-profile users’ accounts made it big in the news and led to arrests faster than your usual hacking. Now it seems that the accounts of almost hundreds of high-ranking executives in countries around the world have also been compromised and the daring attempt to sell this information in the dark corners of the Web is being made by a single “threat actor.”
Most hackers and crackers try to exploit the accounts of ordinary customers and employees, partly because they are easier to sweep under the rug and partly because they are more likely to fall for scams or social engineering attempts. On the other hand, the accounts of high-ranking officials in corporations, have a greater payload, believing they fall into the right hands, or rather the wrong hands. ZDNet got wind of such an operation involving a threat agent selling that kind of information underground.
Allegedly, the credentials contain Office 365 usernames and passwords and Microsoft profiles belonging to hundreds of business executives worldwide. That include CEOs, COOs, CFOs in the US the UK, even down to company accountants. ZDNet’s anonymous source obtained samples of such data from cyber-security circles and was able to validate their accuracy.
The hacker is unsurprisingly tight-lipped on where or how the login credentials were stolen, however, there are already established possibilities for their use. They may be used to obtain access to company secrets for extortion or scam staff into sending of huge sums of money. The latter is reportedly one of the most common uses for this information known as CEO scams or BEC (business email compromise).
This incident, which has no resolution or end in sight yet, illustrates the need for stronger data security, especially in businesses. Two-factor authentication or 2FA is always recommended, but if the business does not enforce it or allow the use of 2FA based on email, then it is all for nothing.