Case study: Once more unto the breach

Keep your business and personal online life apart

Using a business email address or password for personal websites may seem like a harmless activity. It may also be convenient. But over time, this practice can create a serious cyber security risk for both the person and the organisation they work for.

When the email or password is used for sites and services such as web forums, shopping, social media, or filesharing services, the credentials can become exposed to a broad cyber security threatscape. If any of the sites are compromised, bad actors can gain access to a legitimate corporate email account that could be used for malicious purposes such as phishing, social engineering, or access to internal systems.

An email that appears in numerous breaches over a span of years can create a compounding threat by helping attackers to build a consistent profile. Individual site passwords may be changed, but historical data can continue to feed credential-stuffing attacks, targeted phishing, and personalised scams.

May I see your credentials?

Credential stuffing is a type of cyber attack in which an attacker gathers pairs of stolen email addresses and passwords, then uses large-scale automated login requests to gain unauthorised access to user accounts on other systems, such as websites.

Case study

This case study describes the journey of a single email address affiliated with a New Zealand organisation as it appeared in numerous publicly disclosed data breaches over a period of 16 years. Data from nearly all these breaches was circulated in popular hacking or cybercrime forums, which means the user’s credentials were exposed to cyber threat actors for an extended span of time.

The journey begins

In 2008, the credentials first appeared in a data breach involving MySpace, an early social networking site. Data obtained from this breach was later offered for sale on the dark web.
In 2012, the credentials appeared in data breaches involving both LinkedIn (a networking site for professionals) and Dropbox (a cloud-based filesharing site).
In 2016, the credentials featured in data breaches affecting MDPI (a scholarly open-access publisher), ExploitIn (an underground forum) and AntiPublic (a large list of email addresses and passwords that was widely circulated and used for credential-stuffing attacks).
In 2017, the credentials appeared in the Onliner Spambot breach. Onliner was a massive breach affecting over 711 million email addresses. Onliner was typically used to send banking malware to recipients.
In 2018, the credentials appeared in breaches affecting MyFitnessPal and YouveBeenScrapped.
In 2019, the credentials were featured in the People Data Labs (PDL) data breach. PDL is a data enrichment company.
In 2021, the credentials appeared in the LinkedInScrape (data taken from LinkedIn) and BVD (business data from various sources) data breaches.
In 2023, the credentials were listed in a large data breach affecting Twitter.
In 2024, the credentials appeared in the Operation Endgame data breach. This data was seized from botnet operators and provided to Have I Been Pwned by law enforcement agencies.

Individuals can check their email addresses for exposure at the NCSC's How Exposed Am I? website, which uses the same platform as 'Have I Been Pwned?'.

Check to see if your email has been involved in a data breach:

How Exposed Am I?

Have I Been Pwned? is a website that helps users quickly identify whether their email address has appeared in a publicly disclosed data breach. The NCSC is a participant in the Have I Been Pwned? government programme, which allows the NCSC to receive alerts when a New Zealand Government email address appears in a data breach.

The word 'pwned' is internet slang originating from when the word 'owned' was misspelled by computer games and hackers.

Breach implications

The use of a work email address for personal reasons was a likely reason for the appearance of this user’s credentials in many of the breaches. Cyber threat actors can use stolen credentials to gain access to their victims’ work email accounts. This initial entry point may then give them further access to work systems, which can enable them to carry out attacks such as:

business email compromise,
ransomware, or
theft of intellectual property and confidential data.

This presents a potentially serious risk to any organisation in the public or private sector.

What New Zealanders can do

Although not all data breaches are preventable, following these basic recommendations will help to prevent malicious actors from gaining access to an organisation’s user accounts and systems:

Ensure your organisation has a password policy and an acceptable use policy in place for the use of work email addresses. Make sure all staff, contractors, or anyone else with access reads and understand these policies.
Ensure staff and anyone else with access understands the cyber security risks of using work email addresses for logging in to external websites, especially if the websites don’t have a clear work purpose.
Make it compulsory for staff to use multi-factor authentication (MFA) for logging in to work accounts. MFA is a critical tool for mitigating malicious cyber activity.
Regularly review and update your organisation’s password policy to ensure it aligns with industry best practice. Ensure passwords are changed when there’s evidence of compromise.
Ensure that processes for off-boarding employees include immediately revoking access to accounts and systems when they depart.
Implement a robust process to manage risks relating to external service providers who have access to your systems.