In its list of security threats for 2011, Zscaler pointed out the growing problem of indirect data breaches. The end of 2010 saw attacks against organizations like Gawker, which included the hijacking of commenter passwords. According to Zscaler:
One thing that we've learned from these attacks is that credential theft is not only used to attack the affected domain, but also other sites due to the common practice of sharing the same username/password across numerous sites. Historically, there has been concern that single sign-on systems, such as Facebook Connect, create an Achilles heel-meaning they compromise one database and have access to many. We're learning that the opposite can be true as well; by forcing people to have multiple logins, they'll simply repeat one over and over again and their security is then only as strong as the weakest link in that chain-a riskier overall proposition than having one secure authentication source.
The problem for enterprise is also two-fold. Allowing readers and consumers access to sites to make comments or share links has become a common, and expected, business practice. But if the site is hacked, consumers lose trust. It can also hurt your business from the inside-if your employees are posting on these sites from the company network and using the same password they use within the business, the hackers have access to your business data.
So what can companies do in response to this increasing breach threat? A post on MarketNet pointed out that some companies mined the Gawker data for e-mail that matched information in their own databases and reset passwords. The post also said:
This proactive step not only protected customers but will also reduce a lot of upcoming customer service hours needed to handle and fix hacked accounts or return fake orders. It also prevents customers unaware of the incident with Gawker from misplacing blame if their accounts were compromised.
A writer on BNET reminds companies of the importance of security policy and creating a solid password policy.