How Can You Protect Your Business from Leaked Credentials?

In January of this year, there was a huge data leak known as “Collection #1.” It consisted of more than 750,000 different email accounts along with passwords or hashes (passwords encrypted with a specialized algorithm), exposing the data of thousands of people from around the world. What was stunning and unique about this leak was the enormous seizure of minor leaks from thousands of sources.

Password leaks usually occur due to a security breach that is exploited by cybercriminals to obtain privileged information (such as personal account data, users and passwords), which can later be marketed on the deep and dark web.

Several international services specialize in divulging data leaks that are generally circulating on the Internet. However, these services dedicate most of their attention to large leaks and to the international market itself.

Have you heard of Hashcast? 

Hashcast is a product for businesses of all sizes wishing to track credential leaks from an entire domain.

Here’s how it works: Let’s say your company’s webmail address is @domain.com. Our bots will “track” all users of that domain 24 hours a day, 7 days a week. If any leaked credentials are detected, company officials who are registered on Hashcast will be notified so they can implement immediate security measures and mitigate any risk to the company.

One of the main reference sites for leaked credentials is Have I  Been Pwned, created by Troy Hunt. Hunt’s goal is to raise everyone’s awareness, offering hints, tools and strategies to protect ourselves in the digital environment. But it’s not exactly complete.

Check the differences between the two products:

Is my company vulnerable?

With digital presence growing daily, every company and individual is exposed to the risk of data leaks. If you still have any doubt, try this simple exercise:

Consider whether any of your employees have used their professional email to open an account on an external platform, such as:

• The various social networks (Facebook, Instagram, LinkedIn and others)
• SaaS platforms (any web tool that requires an email address to open and access an account)
• E-commerce and virtual stores
• Or any of the innumerable other services that exist on the web

If your answer was “yes” to any of the above, it’s vital that you consider creating procedures to increase the security of your company — and especially to protect your credentials.

We’ve listed examples below of some simple procedures you can apply to your company’s day-to-day business:

• Increase the minimum size and complexity of passwords (involving capital and lower-case letters, numbers and special characters)
• Request password changes after a certain period of time
• Enable two-factor authentication

What can you do if your data was involved in leaked credentials?

The first step we would recommend is to change the password of users who have been compromised.

If your company uses a single sign-on (SSO) or Active Directory, informing your IT or Information Security department is one of your most important steps. That way, access to systems can be temporarily suspended until the password has been changed to a new one that’s preferably more secure.

Do you want to increase your level of security and decrease the risks originating from your digital presence? Visit Hashcast and take the test to discover if your site has been compromised.