Let's imagine this hypothetical list of email names…
Now remember, each of these email addresses comes with a name, a password and some other neat information. John.doe and Mary.smith are far too common to be of a lot of use, especially when they are using popular services like yahoo and live, but email addresses like costco.com, sdsu.edu and many others tend to indicate affiliations. Knowing that many users will use the same password at multiple sites, it becomes an easy task to filter out very common names, especially at very common sites. Less common names, even at popular sites, can still be of value.
There is an attack hierarchy in this scheme. Business domains that do not have “user” or student accounts are primary targets. An EDU account may be an employee, but it may be a student as well. If you are a hacker, then the primary business accounts are worth trying. You use the same password as you found in the Sony breach, and if it doesn't work then you have not generated suspicion with one failed login attempt. If it does work, then you're in. For EDU accounts, you might want to know who the user is to determine if they may have access to anything interesting. For uncommon names, even at providers like gmail and hotmail, there is enough to look for social networking accounts that might reveal where the victim works. From there you decide if you want to try their password.
“...drive home the point that the corporate password is not to be used for any other sites.” – Randy Abrams, director of technical education, ESET |
For Sony this is really bad. It would be expected that many employees may have registered PlayStation accounts with their Sony email addresses, and some number of those people will have used the same password on the network. For the rest of us, it is a crap shoot. Did the employee use the same password on our network as they did for the PlayStation account? Did the employee use their work email? Is the employee's name common enough that it is unlikely someone would find their social networking pages and then where they work? With companies that use a rigid format for email addresses, such as [email protected] it becomes very easy to guess a logon.
The call to action for IT is if there is a chance someone in your organization had a PlayStation account, make sure you have all passwords changed since the breach, and drive home the point that the corporate password is not to be used for any other sites. It is a really good idea to also provide password management tools so that employees learn that they really can have 20 different, very strong passwords and deal with them fairly easily.