Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Opinion: Webmail gets hacked, corporate passwords exposed

How the situation was resolved

This week, one of our top (C-level) executives suffered a personal security incident that spilled over to the workplace. Here's what happened.

The executive's Yahoo email password was compromised, which she learned after hearing from friends who told her that they had received messages from her requesting money to deal with a crisis. You've probably heard similar stories, but whoever hacked the executive's email was a bit more clever than the average cybercrook. One friend was suspicious of the request and asked for verification of the executive's identity. Most email hijackers would probably give up and move on to another victim at that point, but this hacker had sifted through the executive's emails and learned enough about her family, vacations and health issues to trick the friend and dupe her into wiring the money.

Trouble Ticket

At issue: A top executive's Yahoo Mail client was hacked, opening the way for the hacker to get into the corporate network.

Action plan: Change all her SaaS and domain passwords, fast.

Naturally, the executive had used her Yahoo Mail account for a variety of activities, including setting up accounts with her bank, her brokerage, an airline and various shopping sites. The Yahoo account had received emails containing clear-text passwords when she had forgotten them. Worse, she often used the same password for multiple accounts.

I advised her to abandon the email account and to contact all of her friends and let them know that they should disregard any mail from that address. But that action, or simply changing the password, probably wouldn't be enough to stem the damage. Most identity thieves will download all the email from a compromised account, as well as data such as calendars and contact lists, to a local computer. This is quite simple, since many webmail clients allow customers to use more feature-rich email clients such as Microsoft Outlook to download email. So even if the account were shut down or the password changed, the hacker would probably still have all of its contents.

Security

Because the compromised content could not be safeguarded, I also told her to file a police report; contact all banks, credit card companies, brokerages and other organizations with which she had done business online; file a fraud alert with the major credit agencies; sign up for a credit-monitoring service; and obtain a new email address and update all of her accounts with that address. I also warned her to refrain from using any PCs, including her home PC, until we could verify their integrity, since we still didn't know how her password had been compromised.

Dangerous habit

In the course of our conversation, I learned that this incident had implications for the company. You see, we have increased our use of software as a service to the point that we now use more SaaS offerings than on-premises applications. Some might see this as an achievement. I see it as a security nightmare.

As I've explained in past articles, most SaaS vendors have focused more on functionality and accessibility than on security. This incident is a perfect example of how that approach can lead to problems. The executive had a habit of forgetting her passwords for SaaS applications, and she gave me a list of seven SaaS apps that had sent password reset notices to her hacked email account -- in clear, unencrypted text!

Fortunately, none of the data used with these particular apps was extremely sensitive. But she had used her domain password for all of the applications. This meant we had to change her domain password and then log in to all the other applications -- about 15 altogether -- that were not synchronized with Active Directory or configured for single sign-on.

Needless to say, this was not a good day for this executive. But on a positive note, I did get a sponsor for my security awareness and training program.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in the discussions about security! computerworld.com/blogs/security

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: etwork, Microsoft, Topic, Yahoo
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security, Software-as-a-Service (SaaS), Yahoo
Latest Blog Posts
Whitepapers
  • Business Process Management, Service-Oriented Architecture, and Web 2.0: Business Transformation or Train Wreck?
    As a result of more and more organisations adopting new technologies and business practices surrounding BPM, SOA, and Web 2.0, fundamental changes have arisen in the way IT and business stakeholders work together. Make this into an opportunity - read on.
    Learn more »
  • Maximise Software Cost Savings by License Reharvesting, Recycling & Applying Product Use Rights
    Software asset management (SAM) is a complex process that enables organisations to gain control of their software estate from both a license compliance and financial standpoint. In many organisations, SAM represents one of the few remaining ways that substantial IT savings can be realised. McKinsey and Sand-Hill Group estimate that 30% or more of IT budgets are consumed by software license and maintenance costs. By optimising the SAM process, organisations can maximise software utilisation, reduce the risk of non-compliance (audits, fees, penalties), and reduce overall IT costs by as much as 5 to 10% per year. Read on.
    Learn more »
  • How to Choose an SMB - Unified Communications as a Service (UCAAS) Solution
    The on-premise deployment of Unified Communications (UC) continues to be a source of considerable corporate angst especially for the Small to Medium Business (SMB) sector. IT research firm Gartner believes UCaaS will be adopted as an adjunct service by large enterprises and as a core service by SMBs before 2015. To help SMBs choose the best offering and develop a suitable roadmap Computerworld has prepared this special feature profiling the major offerings in the Australian market.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments