The Rise of Indirect Data Breaches

Sue Marquette Poremba

In its list of security threats for 2011, Zscaler pointed out the growing problem of indirect data breaches. The end of 2010 saw attacks against organizations like Gawker, which included the hijacking of commenter passwords. According to Zscaler:

One thing that we've learned from these attacks is that credential theft is not only used to attack the affected domain, but also other sites due to the common practice of sharing the same username/password across numerous sites. Historically, there has been concern that single sign-on systems, such as Facebook Connect, create an Achilles heel-meaning they compromise one database and have access to many. We're learning that the opposite can be true as well; by forcing people to have multiple logins, they'll simply repeat one over and over again and their security is then only as strong as the weakest link in that chain-a riskier overall proposition than having one secure authentication source.

The problem for enterprise is also two-fold. Allowing readers and consumers access to sites to make comments or share links has become a common, and expected, business practice. But if the site is hacked, consumers lose trust. It can also hurt your business from the inside-if your employees are posting on these sites from the company network and using the same password they use within the business, the hackers have access to your business data.


So what can companies do in response to this increasing breach threat? A post on MarketNet pointed out that some companies mined the Gawker data for e-mail that matched information in their own databases and reset passwords. The post also said:

This proactive step not only protected customers but will also reduce a lot of upcoming customer service hours needed to handle and fix hacked accounts or return fake orders. It also prevents customers unaware of the incident with Gawker from misplacing blame if their accounts were compromised.

A writer on BNET reminds companies of the importance of security policy and creating a solid password policy.

Add Comment      Leave a comment on this blog post
Dec 22, 2010 6:28 AM Aaron Aaron  says:

Thought provoking article, as usual Sue.  With the SaaS tech industry in excess of $13 billion in 2009 (and no sign of slowing down) per year, the opportunity for usernames/passwords to become compromised is increasing.  There unfortunately exists a conflicting trade-off between security and convenience. 


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.