Global Networking Company

CASE STUDY

Global Networking Company

Industry: TECHNOLOGY

Global Networking Company Trusts SpyCloud to Protect Its Active Domain Users from Account Takeover

Challenge

Discovering exposed user credentials across the global networking company’s many domains proved to be challenging using old, redundant, and undecrypted password data from an incomplete solution.

Scroll to Challenge

Solution

The technology company automatically monitors domain user accounts using fresh data pulled from the SpyCloud database via an API, giving the company time to remediate before accounts are compromised.

Scroll to Solution

Result

With the SpyCloud exposure data at their fingertips, the company generates detailed reports that enable earlier remediation as well as justifying the value of their investment in account takeover prevention technology.

Scroll to Result

A Global Networking Company Trusts SpyCloud Data to Protect Its Domain Users from Account Takeover

The global IT and networking company profiled is a recognized technology leader with approximately 75,000 employees and annual revenue of nearly $50 billion. Security is a primary focus of its digitization strategy and the company uses a multi-pronged approach to ensure its systems, employees and customers are protected.

Challenge

Discovering Compromised User Accounts Early

The technology company is well-aware of security risks that seem to never end. Its focus on protecting its assets and users motivates security leaders to continually implement modern solutions to combat the threats.

One of the growing challenges is protecting usernames and passwords from being compromised. When users select a password to log into internal company domains, they establish a connection point that criminals are all too quick to leverage.

The primary problem is directly linked to reused passwords. When employees use the same or slightly varied password across multiple accounts, it’s like a neon light flashing for criminals. While this introduces risk for every organization, this particular company has more than their share of corporate domains to protect. Through acquisitions, they have accumulated multiple domains, each with its own user base.

The existing security products they were using were intended to monitor the dark web and notify security leaders of any compromised accounts. What they received instead was old and redundant data that was discovered well after the credentials had already been stolen and sold on underground markets. Further, the previous vendor was only able to provide exposed encrypted password hashes much of the time, making the data inactionable. For a company who takes security seriously, a better solution had to be found.

Solution

Detailed Exposure Data that Triggers Automated Remediation

The technology company was intrigued by the quality and quantity of data that SpyCloud curates, particularly with the number of plaintext passwords that are directly matched to a username. SpyCloud has recovered the largest database of compromised accounts, has cracked the most amount of encrypted password hashes into plaintext, and is constantly ingesting more breach data sooner after a breach than any other company. When compromised credentials are discovered earlier in the account takeover lifecycle, companies like this one can take action before criminals use the credentials in stuffing attacks to gain access into the organization.

“The SpyCloud data has proven to be of very high quality and we saw instant value,” says a security manager within the technology company.

“The SpyCloud model lends itself well to driving the level of automation required for our use cases.”

For the technology company, automation is key to efficiency, accuracy and speed. They have automated most of the discovery and remediation process using the SpyCloud API to pull breach records across all of their domains to form a watchlist that is forwarded to the security manager. The security team separates external and internal account holders of their main domain, and external account users are notified directly of compromised credentials.

Another process is initiated for internal account holders. For these accounts, answers to a series of questions direct the type of remediation effort: has the breach record been seen before? Is the account still active? Does the account belong to an executive, administrator or service account?

The technology company has also built their own internal “Credentials Leak Notification Dashboard” that monitors the value SpyCloud is providing. This dashboard contains monthly reports of the leaks as well as the victims who were notified, the notification timeline, and the specific accounts that have experienced more than one breach.

Results

More Exposures Discovered Than Ever Before

In just one quarter, the IT and technology company was able to use the SpyCloud data to notify more than 3,600 users that their credentials had been exposed. These are active user accounts that were threatening the enterprise without users realizing they were playing a role in security risk. Today, the company is confident they are catching exposures and using the data to educate users on ways to fortify their passwords going forward.

Using the API, the reports in the company’s dashboard contain all of the relevant data pulled directly from the SpyCloud database, giving the company the information they need to take appropriate and immediate action.

“The SpyCloud data provides us with the details of not only the exposures but how we are distilling the data and deriving value from the SpyCloud solution,” says the manager. “Great data is wonderful, but the way SpyCloud operationalizes it for us has been invaluable in our efforts to justify our investment in this security technology.”

More than 3,600 users notified of leaked credentials in the first 3 months

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

Download the PDF version of the case study to print or share with others.

Top 10 Travel Booking Site

CASE STUDY

Top 10 Travel Booking Site

Industry: TRAVEL & HOSPITALITY

Top 10 Travel Booking Site Discovers Up to 11,000 Exposed Customer Credentials per Hour with SpyCloud

Challenge

Preventing account takeover begins with monitoring the dark web, but without the ability to match user accounts with a database of exposed credentials, a top 10 travel booking site was vulnerable to attack.

Scroll to Challenge

Solution

The booking company uses the SpyCloud API to continually monitor and protect customer accounts against SpyCloud’s massive database of exposed emails and plaintext passwords.

Scroll to Solution

Result

With automated dark web monitoring, the company discovers thousands of exposed customer accounts every hour, enabling the company to better protect their customers from account takeover.

Scroll to Result

Top 10 Travel Booking Site Discovers Up to 11,000 Exposed Customer Credentials Per Hour with SpyCloud

The online travel booking company profiled is one of the largest in the world, with nearly two million room nights reserved at more than 140,000 global destinations on its online platform every day. With a mission to remove the friction out of travel, the company unites travelers with every type of accommodation available.

Challenge

Preventing Account Takeover After a Breach

Account takeover (ATO) is a growing problem that impacts virtually every industry, particularly those organizations with an e-commerce capability. When cyber criminals steal usernames and passwords or purchase them from breach data on the dark web, both consumer and company can suffer.

The risk of ATO keeps security leaders up at night. Beyond the financial loss, ATO is often the dreaded aftermath of a security breach and can continue to cause damage for years.

For one of the top 10 travel site’s Account Security Group, keeping constant watch over their user accounts is a full-time job that would greatly benefit from automation.

“It has always been our goal to prevent, detect and remediate any account security threat,” says a security leader at the online travel company. “We wanted a solution that would enable us to continually evaluate our security stack and if we detect any gaps in our strategy, take immediate action to protect our customers and our brand, starting with ATO prevention.”

Solution

Identify Exposed Credentials Early and Rapidly

SpyCloud always has its ear to the ground in the deep and dark web. Through proprietary tools, techniques and technologies, SpyCloud is able to detect corporate breaches earlier than any other company. The earlier exposed credentials are discovered, the more likely a future breach can be prevented.

To prevent a breach, ATO and ongoing fraud from happening, this top 10 travel booking site turned to SpyCloud, recognizing the value of the detailed, real-time, accurate data SpyCloud provides. They chose to work with SpyCloud to launch a new initiative to automatically detect exposed customer credentials and alert security leaders early in the process, before criminals have the opportunity to take over the account and cause damage.

The company uses SpyCloud data as part of their account stuffing attack monitoring. For each login attempt to their domains, they initiate an out-of-band SpyCloud check for an account match. They then check match alerts against SpyCloud’s recorded spikes in account stuffing attacks to identify any correlations.

“We use SpyCloud to detect the ATO storms – when an attacker targets our system with a list of breached credentials,” says the security leader at the company. “The SpyCloud data reveals which accounts are compromised so we can force the account down an alternate road that includes a second step in the verification process. This is typically requiring the account owner to answer security questions or engage in two-step multi-factor authentication.” 

“Without the SpyCloud data, we would be in constant risk for attacks we never saw coming. We may not be able to stop every breach, but we feel we are being more proactive and have dramatically improved our security stance.”

Results

Thousands of Exposed Credentials Discovered Every Hour

One of the unique aspects of SpyCloud is the ability to discover direct matches with emails and passwords. Identifying exposed emails is not enough and doesn’t indicate the account has been compromised. With SpyCloud’s proprietary password cracking methodology, more passwords can be cracked, unencrypted and operationalized. In fact, SpyCloud owns the largest database of emails and plaintext passwords, eight billion and counting.

“SpyCloud allows us to see where we are vulnerable in order for us to fortify those potential entry points,” says the security leader. “With the SpyCloud database constantly updated, we can continually monitor our customer base with the freshest, most usable data available. Using the SpyCloud data, we discover anywhere from 3,000 to 11,000 direct matches per hour. Every one of those exposed accounts could have led to account takeover. “

While the SpyCloud solution does include the capability for users to automatically remediate accounts with matches to breach records, typically forcing a password reset, the travel company prefers less friction in the booking process.

“For now, we are using SpyCloud simply for monitoring, but we are aware the solution can do much more,” says the security leader. “We are evaluating our options and are considering moving towards being more proactive without compromising our mission. The fact that SpyCloud is customizable to our needs now but also scalable to where we may go in the future is one of the reasons we chose their solution.”

4.7% email and plaintext password match rate.

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

Download the PDF version of the case study to print or share with others.

Automattic

CASE STUDY

Automattic

Industry: TECHNOLOGY

Automattic chose SpyCloud to automate the process of detecting account exposures and protecting the account from a takeover. 

Challenge

Password reuse is a constant issue that often leads to account takeovers, yet finding exposed credentials was a labor-intensive, manual task that didn’t capture every instance.

Solution

Automattic chose SpyCloud to automate the process of detecting account exposures and protecting customer accounts from a takeover with proactive tools that force an immediate password reset.

Result

With the automated solution, Automattic is protecting millions of people from account takeover and preventing them from reusing exposed passwords for a safer customer experience.

How Automattic Is Protecting Customers Behind The Scenes

Automattic is the company behind one of the most popular online publishing platforms in the world, WordPress.com. WordPress.com is but one of the products offered by Automattic. The company has developed services like Jetpack and WooCommerce that give users additional functionalities such as ecommerce, website security, backups and anti-spam capabilities. With a motto of “making the web a better place,” clearly Automattic is defining how the internet can empower, inspire and delight.

Today, customer accounts have become a target for cybercriminals who seek to hack accounts to steal identities, data or privileges using stolen credentials. When people reuse passwords across multiple sites and apps, they make themselves highly vulnerable to attacks. Automattic took up the cause to ensure its customers were as secure as its own servers, offering multi-factor authentication and ensuring customers choose strong passwords that have never been exposed on the dark web.

Enhancing the Website Experience

Automattic’s mission is to give people easy access to a platform where they can share data beyond social media accounts. “We believe everyone should have their own place on the web, their own domain they own forever,” says Barry Abrahamson, CTO at Automattic. “While affordable, we give them inventive tools to make it unique, interactive and highly functional.”

What was once primarily a blogger’s paradise, WordPress.com has expanded to give businesses of all sizes across the globe a place to connect with an audience in ways never before possible. “Protecting our customers from account takeover is something we view as our responsibility,” says Abrahamson. “Many people may not realize the risk of reusing passwords across multiple accounts. Our goal is to both educate our users and protect their WordPress.com site as much as we can from all forms of attacks. We do all of the work behind the scenes so customers can just enjoy their site and the freedom it brings to express themselves.”

Automattic is unique. They don’t charge extra for the many security features embedded in their products. Everything is included in the platform because the company believes at its core that those features are too important to leave to chance. A secure presence on the internet is a basic right, not an opportunity to nickel and dime customers. To Automattic, Denial of Service, SSL, web application firewalls and account takeover prevention are features as important as any basic product functionality, maybe more.

“Our idea behind security is to provide best-in-class security features and functionality to all customers in a transparent, no-hassle way, whether they ask for it or are completely oblivious to its necessity,” says Abrahamson. “We ensure when we implement something, we make the default version as secure as technically possible. Security features are automatically enabled, without requiring the user to turn on a feature, so we know our customers are protected from bad people who want to cause harm.”

Proactively Preventing Account Takeover

Account takeover has come front and center in the past few years. According to Verizon, stolen credentials top the list of breach attacks, mostly due to the fact that nearly 60 percent of people admit to reusing passwords across multiple accounts. Automattic believes it can be more effective in protecting its millions of customers by embedding security solutions into its products.

One such solution Automattic chose was SpyCloud to automate the process of detecting account exposures and protecting the account from a takeover with proactive tools that force an immediate password reset. “Account compromise due to password reuse has become a larger problem over the years,” says Abrahamson.

“We found ourselves spending more of our time searching the dark web for these password lists and then going through manually comparing the list with our customer list, then proactively resetting their passwords. It was a huge time commitment. Now that we have an automated solution, we can protect hundreds of millions of people and prevent them from choosing passwords that have already been exposed.”

Plenty has changed since Automattic was founded, yet the company has the foundation in place to stay nimble to whatever comes next. Automattic continues to build tooling and algorithms internally that detect, block, alert and notify. “We will invest in security measures that are proven to bring value to our products by providing a safe environment for our customers,” he says. “Security will always be at the top of our priority list because it’s our responsibility to take care of our customers who trust us.”

About Barry Abrahamson

Chief Technology Officer may be on Barry Abrahamson’s resume, but Automattic insiders prefer to call him Systems Wrangler. Abrahamson knows technology. He was one of the original hires at Automattic and for more than 12 years, has worn plenty of hats. He is responsible for all of the technology and implementations at Automattic, including servers, data centers and security, as well as improving performance and security insights. Before joining Automattic, Abrahamson was a senior account manager at Rackspace Managed Hosting.

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

Download the PDF version of the case study to print or share with others.

Chemical Company

CASE STUDY

Global Specialty Chemical Company

Industry: CHEMICAL

Combining ATO Prevention with Employee Education to Fight Cybercrime

Challenge

Preventing a security breach that impacts their customer data is a top priority for this customer, yet without credential exposure monitoring and reporting, they were at constant risk.

Scroll to Challenge

Solution

The company consistently monitors employee credentials against SpyCloud’s database of stolen credentials to proactively catch account takeover exposure early, before criminals have the opportunity to compromise employee accounts.

Scroll to Solution

Result

With accurate, real-time exposure data at their fingertips, the team is able to prove risk, helping executives and employees become more aware of the threat of account takeover and be proactive to prevent it.

Scroll to Result

About the Company

Combining ATO Prevention with Employee Education to Fight Cybercrime

This case study covers a global specialty chemical company headquartered in the United States. Its innovative solutions are designed for customers in the pulp and paper, leather, plastics, oil and gas, and water treatment industries.

Challenge

Visibility into The Real Threat of Exposed Credentials

One of the company’s strategic initiatives is to apply digital technology in the process of not only applying chemicals but helping customers ensure their processes are efficient and effective. With cyber threats front and center, the company is equally invested in taking appropriate protections to mitigate their own risk by protecting sensitive data.

“Much of what we do is not only to gain the trust of our customers with our chemical and process expertise but with how we treat their private information,” explained the Director of Global IT Infrastructure. “We can’t afford to have a security breach that impacts their data.”

The company understands that many attackers find entry points into organizations via unsuspecting employees. Whether by using their company credentials on personal accounts or responding to phishing emails that download malware, employees are often the easiest targets for cybercriminals. Many of this company’s employees use multiple devices to access systems with corporate or customer information, compounding the risk.

In fact, the company has experienced account takeover of this nature in the past with a phishing attack that made its way to the CEO. “Our CEO had his email account taken over and the cybercriminal sent out a bogus email to a finance associate claiming our financial officer authorized a wire transfer. The email was convincing, even using actual names and private information.” Fortunately, the team member was well trained in spotting suspicious emails and went directly to the finance officer to verify the email was a scam.

Even with best practices in place, the IT Infrastructure team recognized the company needed to add credential exposure reporting to its repertoire of security solutions. Many of its executives didn’t realize their information was exposed and associates didn’t believe their stolen credentials would harm the company or customers. In order to prove the risk to them, the team needed hard data to show them the threat was real, from the CEO to the most entry-level associate.

Solution

Real-time, Usable Data for Immediate Remediation

The company already had multiple layers of technology safeguards in place, such as firewalls, automatic security updates, malware prevention, and automatic monitoring of assets. The one thing it lacked was consistent monitoring of employee credentials against a database of stolen credentials. For that, they chose SpyCloud.

Over 2,000 exposed employee records were detected across 65 different 3rd party breaches since becoming a SpyCloud customer.

“We are a chemical company, not a cybersecurity company. SpyCloud watches multiple areas of the dark web for us, gathers exposed credential data that we never had access to before and presents it in a simple way we can share with associates and corporate leaders to help them understand the level of risk we are facing. The SpyCloud data is more specific and actionable than any other solution we found, giving us employee, account-level and source detail we need to prove the threat and take immediate action. SpyCloud also shared best practices we could immediately employ. Combined with real-time exposure data, our employees are continually improving their cyber-knowledge and skills.”

Employee education has been a major focus – and something to which SpyCloud has contributed greatly. Teaching associates and executives about the tactics cybercriminals use and the steps they must take to safeguard their accounts are just as important as the technology in place to protect their information, brand and reputation. Today, all of the company’s employees understand they are all potential targets and know what to do to lessen the risk.

Results

Continual Improvement of Cyber Awareness, Skills and Protection

Since implementing SpyCloud as part of its overall technology stack, this customer has dramatically reduced the risk of a breach. Its executives and associates are proactive in contributing to the company’s security stance, particularly as they receive data on exposed credentials. Information from SpyCloud empowers them to take control of their corporate credentials, which in turn, helps them protect their personal accounts as well.

The success of the SpyCloud solution has been measurable; so much so, that it enabled the IT Infrastructure team to obtain budget for weekly phishing prevention training from industry experts.

It has become an expectation that associates continually develop their cyber skills and adhere to best practices, including changing their passwords on a regular basis, choosing strong and unique passwords, multi-factor authentication and not using corporate IDs for personal business.

“Criminals have been doing the same thing they’ve been doing for centuries. They’re just doing it differently now. We can’t fight it all with technology alone. We must also transform our habits to reduce the risk. Our security strategy has come a long way, but we are never complacent. I sleep better at night knowing we are doing as much as we can, while at the same time, always have one eye open to what we need to do next.”

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

Download the PDF version of the case study to print or share with others.