Authlogics research suggests thousands of breached passwords at our largest retailers leaves them vulnerable.
You might be forgiven for making the assumption that our biggest retailers and their customers were facing a more obvious type of threat during Black Friday and Cyber Monday (the hugely popular consumer discount holidays, imported from the US) such as: Competitors undermining a sale campaign, a PR disaster or dangerously overcrowded shops, to name but a few examples.
However, the threat which most of them face is significantly more insidious, more difficult to see or stop, and potentially devastating: Breached passwords, both inside the organisation and amongst their customers.
The extensive Authlogics breached password database shows that of the 4.1 billion breached credentials it holds, over 100,000 belonging to some of the UK’s, and the world’s biggest retailers:
|Retailer||Number of breached passwords|
Digging even deeper into this, we can identify the breached domain credentials that are linked to breached passwords AND the shared credentials that have an association with the organisation:
|Company||Domain Credentials||Shared Credentials|
What does this mean?
Practically speaking, this means that organisations’ passwords, designed initially for security purposes, are providing threat actors with the means and opportunity to walk straight into their corporate network. The fact that some breached passwords are associated with shared credentials means that threat actors would need very little effort to gain a foothold in these credentials. From there, they would be able to leverage further attacks, ranging from phishing, which could be used to facilitate ransomware infection or malware distribution (as well as further credential theft) to widespread identity theft and a plethora of other attacks which could leave retailers’ online ecosystems in disarray in the lead up to their busiest times of the year.
Furthermore, the customer accounts could also be in trouble due to their poor password hygiene. According to our database, over 9 million people are still using the word ‘password’ as a password, with another 200,000+ using ‘money’ or ‘money1’. Particularly worrying in the lead-up to Black Friday,and Cyber Monday is the use of ‘shopping’ over 100,000 times. The Guardian this week reported that 2020’s Black Friday saw UK consumers defrauded to the tune of 2.5 million; by using passwords such as this, UK consumers are providing cybercriminals with an open goal.
What can consumers and retailers do?
- Ensure passwords are unique to each user and website and are not found in any existing password breach databases.
- Longer passwords are better and they don’t need to change unless they have been compromised.
- Improve overall security by introducing an additional step (or factor, hence multi-factor) in the authentication process for a user. This keeps an account safe even if the password has been compromised until it can be changed.
Authlogics provide organisations with end-to-end authentication for every step of the digital identity journey from passwords to multi-factor. It’s that simple, it’s that secure!
Ultimately, we’d like to see a world without passwords. But until that day comes, following best practices when developing your passwords is half the battle.
For more information about how we can help to keep your online accounts safe, visit www.authlogics.com