The biggest risk to retailers and consumers on Black Friday / Cyber Monday? Breached and insecure passwords

Authlogics research suggests thousands of breached passwords at our largest retailers leaves them vulnerable.

You might be forgiven for making the assumption that our biggest retailers and their customers were facing a more obvious type of threat during Black Friday and Cyber Monday (the hugely popular consumer discount holidays, imported from the US) such as: Competitors undermining a sale campaign, a PR disaster or dangerously overcrowded shops, to name but a few examples.

However, the threat which most of them face is significantly more insidious, more difficult to see or stop, and potentially devastating: Breached passwords, both inside the organisation and amongst their customers.

The extensive Authlogics breached password database shows that of the 4.1 billion breached credentials it holds, over 100,000 belonging to some of the UK’s, and the world’s biggest retailers:

 

Retailer Number of breached passwords
Amazon 16979
Apple 39534
ASOS 1290
BooHoo 410
Ebay 14863
Etsy 174
Homebase 1278
John Lewis 85
LinkedIn 43890
Nike 16316
Sainsbury’s 2772
Tesco 3010
Vodafone 1417

 

Digging even deeper into this, we can identify the breached domain credentials that are linked to breached passwords AND the shared credentials that have an association with the organisation:

 

Company Domain Credentials Shared Credentials
Amazon 11310 5669
Apple 25875 13659
ASOS 978 312
BooHoo 232 178
Ebay.UK 265 1063
Ebay.com 9016 4519
Etsy 107 67
Homebase 589 689
John Lewis 59 26
LinkedIn 32822 11068
Nike 10422 5894
Sainsbury’s 1561 1211
Tesco 1874 1136
Vodafone 764 653

 

What does this mean?

Practically speaking, this means that organisations’ passwords, designed initially for security purposes, are providing threat actors with the means and opportunity to walk straight into their corporate network. The fact that some breached passwords are associated with shared credentials means that threat actors would need very little effort to gain a foothold in these credentials. From there, they would be able to leverage further attacks, ranging from phishing, which could be used to facilitate ransomware infection or malware distribution (as well as further credential theft) to widespread identity theft and a plethora of other attacks which could leave retailers’ online ecosystems in disarray in the lead up to their busiest times of the year.

Furthermore, the customer accounts could also be in trouble due to their poor password hygiene. According to our database, over 9 million people are still using the word ‘password’ as a password, with another 200,000+ using ‘money’ or ‘money1’. Particularly worrying in the lead-up to Black Friday,and Cyber Monday is the use of ‘shopping’ over 100,000 times. The Guardian this week reported that 2020’s Black Friday saw UK consumers defrauded to the tune of 2.5 million; by using passwords such as this, UK consumers are providing cybercriminals with an open goal.

 

What can consumers and retailers do? 

  • Ensure passwords are unique to each user and website and are not found in any existing password breach databases.
  • Longer passwords are better and they don’t need to change unless they have been compromised.
  • Improve overall security by introducing an additional step (or factor, hence multi-factor) in the authentication process for a user. This keeps an account safe even if the password has been compromised until it can be changed.

 Authlogics provide organisations with end-to-end authentication for every step of the digital identity journey from passwords to multi-factor. It’s that simple, it’s that secure!

 Ultimately, we’d like to see a world without passwords. But until that day comes, following best practices when developing your passwords is half the battle.

For more information about how we can help to keep your online accounts safe, visit www.authlogics.com