Passwords of more than half a million Belgians are freely available, hackers could easily set to work with them
A leak on a market platform where hackers exchange stolen data has made the company passwords of more than 500,000 Belgians public. The list includes addresses of employees of several well-known companies and institutions including UGent, KU Leuven and VRT. The passwords may be old. Nevertheless, hackers could still use them with all the consequences of that.
More than half a million Belgian company email addresses and their associated passwords. That is the catch of a hacker collective that was able to get hold of data from RaidForums. RaidForums is an online marketplace where hackers trade stolen data among themselves. Last year, police agencies FBI and Europol took the platform offline. But despite that intervention, much data is still readily available.
From Ghent Uni to the Flemish public broadcaster VRT
VRT NWS was able to gain access to an extensive list of more than 500,000 e-mail addresses and their passwords. These include many e-mail addresses of companies and institutions, including addresses of university employees of the universities UGent and KU Leuven, but also data from people’s own homes.
Chances are that the data comes from an old, collective hack of a popular website. Which site is the common thread, we were not able to discover. It could be a site like Dropbox where employees often log in with their company account.
The passwords may be old. As mentioned, RaidForums was taken offline last year. So the passwords are presumably older than a year. Moreover, the list includes names of people who are no longer active, including, for example, a colleague who died in 2020.
KU Leuven assures us that they are protected and work with two-step verification. Anyone who wants to log into accounts at the university must answer a phone call or text message in addition to the password entered.
In addition, employees are also required to change their passwords every so often. VRT also has a similar policy. "Anyone who wants to log into their account must confirm their identity via a secure app," says VRT spokesperson Barbara Callier. "In addition, employees must regularly change their password, which must comply with strict rules. If we receive such a notification, we also warn the employees concerned and ask them to be extra vigilant, for phishing, for example. We also keep a close eye on our systems and intervene in case of suspicious behaviour."
So the chances of someone using the passwords to log directly into a company account are rather slim.
UGent takes note of the leak but does not wish to comment further about its security policy.
One password for several sites?
Still, the leak is not without its danger. Firstly, because someone's password can also be valid for other sites. While companies may require employees to change their passwords, some people continue to use the same password for personal things such as private email addresses like Gmail, social media or online shops.
In most cases, those websites also work without two-step verification. Cyber criminals also have tools to check whether the same password is valid on other websites.
In addition, criminals can also dispatch more credible phishing messages. An e-mail in which someone communicates your old password and the message that you are at risk and need to take urgent security measures often causes panic. If this then includes a link that redirects you to a credible site that collects even more data, you are often even worse off!