Opinion: Webmail gets hacked, corporate passwords exposed

How the situation was resolved

This week, one of our top (C-level) executives suffered a personal security incident that spilled over to the workplace. Here's what happened.

The executive's Yahoo email password was compromised, which she learned after hearing from friends who told her that they had received messages from her requesting money to deal with a crisis. You've probably heard similar stories, but whoever hacked the executive's email was a bit more clever than the average cybercrook. One friend was suspicious of the request and asked for verification of the executive's identity. Most email hijackers would probably give up and move on to another victim at that point, but this hacker had sifted through the executive's emails and learned enough about her family, vacations and health issues to trick the friend and dupe her into wiring the money.

Trouble Ticket

At issue: A top executive's Yahoo Mail client was hacked, opening the way for the hacker to get into the corporate network.

Action plan: Change all her SaaS and domain passwords, fast.

Naturally, the executive had used her Yahoo Mail account for a variety of activities, including setting up accounts with her bank, her brokerage, an airline and various shopping sites. The Yahoo account had received emails containing clear-text passwords when she had forgotten them. Worse, she often used the same password for multiple accounts.

I advised her to abandon the email account and to contact all of her friends and let them know that they should disregard any mail from that address. But that action, or simply changing the password, probably wouldn't be enough to stem the damage. Most identity thieves will download all the email from a compromised account, as well as data such as calendars and contact lists, to a local computer. This is quite simple, since many webmail clients allow customers to use more feature-rich email clients such as Microsoft Outlook to download email. So even if the account were shut down or the password changed, the hacker would probably still have all of its contents.


Because the compromised content could not be safeguarded, I also told her to file a police report; contact all banks, credit card companies, brokerages and other organizations with which she had done business online; file a fraud alert with the major credit agencies; sign up for a credit-monitoring service; and obtain a new email address and update all of her accounts with that address. I also warned her to refrain from using any PCs, including her home PC, until we could verify their integrity, since we still didn't know how her password had been compromised.

Dangerous habit

In the course of our conversation, I learned that this incident had implications for the company. You see, we have increased our use of software as a service to the point that we now use more SaaS offerings than on-premises applications. Some might see this as an achievement. I see it as a security nightmare.

As I've explained in past articles, most SaaS vendors have focused more on functionality and accessibility than on security. This incident is a perfect example of how that approach can lead to problems. The executive had a habit of forgetting her passwords for SaaS applications, and she gave me a list of seven SaaS apps that had sent password reset notices to her hacked email account -- in clear, unencrypted text!

Fortunately, none of the data used with these particular apps was extremely sensitive. But she had used her domain password for all of the applications. This meant we had to change her domain password and then log in to all the other applications -- about 15 altogether -- that were not synchronized with Active Directory or configured for single sign-on.

Needless to say, this was not a good day for this executive. But on a positive note, I did get a sponsor for my security awareness and training program.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in the discussions about security! computerworld.com/blogs/security

Join the CSO newsletter!

Error: Please check your email address.

Tags YahooSoftware-as-a-Service (SaaS)security

More about etworkMicrosoftTopicYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts