Data breaches are neither new nor spectacular, at least until the names and accounts of higher-ups get dragged into the news. For example, a recent Twitter hacking incident that involved the accounts of very high-profile users made it big in the news and led to arrests faster than your usual hacking. Now it seems that the accounts of possibly hundreds of high-ranking executives in countries around the world have also been compromised and a lone “threat actor” is making the bold move to sell this information in the dark corners of the Web.
Most hackers and crackers try to aim for regular consumers’ and workers’ accounts partly because they are easier to sweep under the rug and partly because these types of users are more likely to fall for scams or social engineering attempts. On the other hand, the accounts of high-ranking officials in companies have a higher payload, presuming they fall into the right, or rather wrong, hands. ZDNet got wind of such an operation that involves a threat actor selling that kind of information underground.
The credentials allegedly include usernames and passwords of Office 365 and Microsoft accounts belonging to hundreds of executives of companies around the world. These include CEOs, COOs, CFOs, even down to company accountants in the US, the UK, and elsewhere. ZDNet’s anonymous source from cyber-security circles got samples of such data and was able to confirm their accuracy.
The hacker is unsurprisingly tight-lipped about where or how the login credentials were obtained but the possibilities for their use are already known. They can be used to gain access to corporate secrets for extortion or scam employees into sending large amounts of money. The latter, known as CEO scams or BEC (business email compromise) is reportedly one of the most common uses for this information.
This incident, which still has no resolution or end in sight, emphasizes the need for stronger data protection, especially in companies. Often, two-factor authentication or 2FA is advised but if the company doesn’t implement it or makes use of email-based 2FA, then it is all for naught.