Employers get a warning on Net use by staffers

Call it a symptom of the work-life merger: An employee signs up for the weekly Chamber of Commerce newsletter, or for a community 5K race or a free month of online video-streaming using work e-mail.

But what may be innocent strokes of a few keys could place companies — from banks to retailers — at greater risk for a cyberattack or corporate espionage, according to a report to be released Wednesday by Recorded Future, a Cambridge technology firm that uses online information to predict trends.

This year, 44 percent, or 221, of the nation’s Fortune 500 companies had their employees’ credentials, such as e-mails paired with entire or partial passwords, exposed on public websites, Recorded Future’s survey found.


Because most people reuse a single password multiple times, it’s likely that the password used to log in at work is the same one they use for their personal online activity, said Scott Donnelly, a senior analyst for Recorded Future.

Hackers can use that information to penetrate a company’s internal systems, he said.

“Most companies are focused on what happens in their network,” Donnelly said. “They need to be monitoring third-party sites and vendors — where their employees are out on the Web.”

It’s unclear how often hackers have used employee credentials to attack a company, Donnelly said. But in 2011, cybercriminals infiltrated defense manufacturer Lockheed Martin by using information they had gleaned through a breach of one of the company’s vendors to crack a Lockheed contractor’s coded password and gain access to the company’s computers. Similar information about consumers has proven to be valuable to hackers.

This month, more than 7 million usernames and passwords from Dropbox users were allegedly compromised after other third-party sites were hacked. Soon after, Facebook informed its users that to protect their privacy and prevent breaches, it often scours the Internet looking for leaked and stolen customer credentials.


“Organization usernames and passwords are the keys to the kingdom,” said Andy Obuchowski, the head of security and privacy in the northeast region for the Chicago-based accounting firm McGladrey LLP. “It is certainly a concern.”

In many cases, employees visit third-party sites or forums, such as online antique trading posts, hotel review chats, and trade association links, and use their corporate e-mail addresses and passwords that are the same as the ones they use at work. These smaller businesses get hacked without generating much attention, but then cybercriminals can use the information to target larger companies, sell the data, or just post it on sites frequented by computer coders, called paste sites, to show off.

Recorded Future searched public websites and found the e-mail addresses and passwords of people who worked for financial corporations, public utilities, technology firms, and health care companies, Donnelly said.

Deirdre Fernandes can be reached at deirdre.fernandes @globe.com. Follow her on Twitter @fernandesglobe.