Mingling of work and personal accounts will lead to a rise in vulnerability

By Chip Witt, Vice President of Product Management, SpyCloud

In a lot of ways, 2021 will be spent dealing with and recovering from the events of 2020, namely the coronavirus pandemic and its far-reaching effects.

The virus has affected so much about human behavior, but one of the most significant impacts was the closure of schools and offices, which forced adults and children to learn and work at home on their computers. Students had to create new accounts for school apps and video calls. Parents had to share their work laptops with kids who needed them to do schoolwork and join virtual classes.

In some cases, parents used their work email addresses to create new accounts for their children. They may have even reused the same passwords and shared the credentials with the family. It's easy to imagine parents letting their kids use company Zoom accounts for school calls, and then the kid reusing the same login and password to create a gaming or entertainment account.

On top of that, with many stores closed and people afraid to go out in public, we turned to ecommerce sites to purchase needed products, which led to even more new accounts being created. As shoppers placed online orders with grocery and retail stores for the first time, it's also easy to imagine how many new accounts have been created with reused work credentials - and then shared with family members.

In a matter of days, personal and family accounts for Amazon, Facebook, Nintendo, Xbox and Netflix were being used right alongside productivity tools such as Zoom, Microsoft Office, and corporate email.

These shifts are a dream come true for hackers. More time spent online and more newly created accounts give threat actors more targets to exploit. But the real danger arises from the unfortunate fact that people tend to reuse passwords across multiple accounts.

Security experts recommend using unique passwords for each account, but most people can't keep track of that many passwords so they reuse passwords across multiple sites. In SpyCloud's report on password reuse among Fortune 1000 employees, the company found that 76.5% have reused the same password paired with their corporate email on more than one breached account. The consequences of those reused and shared logins have staying power.

Password reuse means that if hackers are able to steal (via a data breach, phishing attack or credential-siphoning malware) or crack the password for one account, it will likely get them into others as well. When your 12-year-old has one of their online accounts exposed in a breach after using your corporate email and password to set it, guess what? Suddenly, the risk to your company's sensitive information just skyrocketed. At work, the company can monitor corporate credentials for breach exposures to keep attackers locked out of work accounts, but when employees reuse exposed passwords across personal logins, they can create a dangerous blind spot for corporate security teams.

Security awareness education - and constant reminders - are critical. These scenarios show the dangers of reusing passwords and the need for smart and safe online habits.

People need to protect themselves by using complex passwords and changing them if they are shared across multiple accounts. With many people having dozens or even hundreds of different accounts, it's not realistic to expect people to remember a unique password for every one. They should consider using a password manager or encryption key to enable two-factor authentication. And as much as you love your kids, don't share your company email and password with them.

Even as kids go back to school and parents return to the office, a data breach of one app or website will continue to expose people and their employers. Breaches might go months or years until they are discovered, so we are likely to be seeing the cybercrime effects of COVID-19 throughout 2021 and beyond.

##

About the Author

Chip Witt has over twenty years of diverse technology experience, including product management and operations leadership roles at Hewlett Packard Enterprise, Webroot, VMware, Alcatel, and Appthority. He is currently the Vice President of Product Management at SpyCloud, where he drives the company's product vision and roadmap. Chip works closely with field intelligence teams specializing in OSINT and HUMINT tradecraft, actor attribution and underground monitoring.