On World Password Day, I’m not going to talk about passwords. Changing your passwords regularly, creating long strings of ultra-secure codes, relying on password managers, using two-factor authentication; it all means very little in a world where you are going to get breached. Passwords are currency in the online underground markets, but they’re only a fraction of the sheer quantity of credentials and PII exposed on the internet. That includes usernames that, when matched with passwords, can allow unauthorized access to accounts, and even tokens that provide another layer of access and, if leaked, offer no more security than the password.
If you’re a CISO of an organization that relies on technology in any way, you’re already going to be familiar with the rapid shift from software that you control within your own perimeter with passwords for out-of-the-box endpoint solutions, to the adoption of software-as-a-service (SaaS) services that store your information on their servers. Did you know that companies with 50 or under employees have about 40 applications in total, while those with 1000+ employees have over 200? That’s a lot of places where your organization’s data could be leaking, and how would you even begin to know if it had been compromised?
At the end of last year, HackerOne ran an exclusive campaign with a select group of hackers in which we challenged them to look for information exposures for 11 customers. Most bug bounty customers don’t include information exposure in scope for their programs, but we wanted to see what hackers would find if they did. You don’t need incredible technical skill to find exposed data, you just need to be a good online detective, using many of the same research skills as the “web sleuths” featured in popular Netflix series like Don’t F**k With Cats and The Vanishing at the Cecil Hotel.
The data found by the hackers included everything from passwords and authentication tokens to sensitive documents. In total, 41 data exposures were found over a 30 day period, with nearly half of those findings having a potentially high or even critical impact. The most common source of data exposure was GitHub; unsurprising when so many developers rely on it. Salesforce, Trello, and Google Calendar were also sources of leaked credentials and sensitive documents, carelessly stored or forgotten about. They’re easy to leak by accident yet incredibly easy to find, and they sting when found by a bad actor.
Knowing what information has been exposed and where is the first step to knowing what tools to focus on and where to begin educating employees. No matter how secure your passwords are, your data is out there in different clouds and across various third-party vendors — it’s only a matter of time before a leak puts your brand at risk. There is a benefit to including the whole brand in scope for a big bounty program, beyond specific domains or apps: organizations need to be willing to accept any finding that could damage their brand and that’s a level of maturity in hacker-powered security that, so far, few companies have achieved.
So, this World Password Day, I’m not going to share any of the well-worn received wisdom about passwords, but instead encourage businesses to turn over that stone and be brave enough to explore what might have already been compromised.
