30% of CEOs have had their credentials leaked
Username and password re-use potentially puts corporate information at risk - study


Almost one in three CEOs have had their usernames and passwords leaked as part of a data breach, new figures have shown.
Infosec company F-Secure analysed the known email addresses of more than 200 CEOs from top businesses across ten countries, comparing these details to leaked spam lists and account databases distributed by hackers.
It found that 30% of CEOs had their password leaked when a service they had signed up for with their corporate account fell victim to a breach.
The biggest cause of this was professional networking service LinkedIn, which was linked to 53% of the leaked accounts F-Secure analysed. Hackers infiltrated the service back in 2012, then last year released the account details of 117 million people.
Next on the list was Dropbox, which 18% of CEOs had signed up to. F-Secure did, however, point out the caveat that someone else could have used a CEO's email address to attempt to sign up for a service.
The issue of password re-use - where people use the same login details for multiple services - means that CEOs may need to change the passwords for other services than those their email addresses were leaked by.
For instance, hackers could try CEOs' credentials leaked in the LinkedIn and Dropbox breaches to attempt to gain access to sensitive corporate information through credential re-use attacks.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"This study once again underscores the importance of proper password hygiene," said F-Secure CISO Erka Koivunen. "The CEO's credentials may have leaked even when they have done nothing wrong.
"We can assume that many of the services we've created an account in have already been compromised and the old passwords are out there on the internet, just waiting for targeted, motivated attackers to try them against other services."
In addition to this, more than 80% of CEOs were found to have had personal information - including email addresses, physical addresses, phone numbers and dates of birth - exposed via leaked marketing databases and spam lists.
In fact, less than one in five CEOs had no leaks whatsoever associated with their email address.
On the other hand, Koivunen also pointed out that signing up to services with a privately-controlled email account may not necessarily be any more secure.
"When using a private email, a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the company's IT, communications, IPR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover them later," he said.
"To an attacker, a CEO who uses private email to register for a service they use in an official capacity spells a loner - someone who goes it alone and doesn't bother to rely on his/her staff to provide protection."
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.
-
Why are many men in tech blind to the gender divide?
In-depth From bias to better recognition, male allies in tech must challenge the status quo to advance gender equality
By Keri Allan
-
BenQ PD3226G monitor review
Reviews This 32-inch monitor aims to provide the best of all possible worlds – 4K resolution, 144Hz refresh rate and pro-class color accuracy – and it mostly succeeds
By Sasha Muller
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen
Capita told the pension provider to “work on the assumption” that data had been stolen
By Ross Kelly
-
Gumtree site code made personal data of users and sellers publicly accessible
News Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
By Connor Jones
-
Pizza chain exposed 100,000 employees' Social Security numbers
News Former and current staff at California Pizza Kitchen potentially burned by hackers
By Danny Bradbury
-
83% of critical infrastructure companies have experienced breaches in the last three years
News Survey finds security practices are weak if not non-existent in critical firms
By Rene Millman
-
Identity Automation launches credential breach monitoring service
News New monitoring solution adds to the firm’s flagship RapidIdentity platform
By Praharsha Anand
-
Neiman Marcus data breach hits 4.6 million customers
News The breach took place last year, but details have only now come to light
By Rene Millman
-
Indiana notifies 750,000 after COVID-19 tracing data accessed
News The state is following up to ensure no information was transferred to bad actors
By Rene Millman
-
Pearson fined $1 million for downplaying severity of 2018 breach
News The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
By Rene Millman