Google Warns Users About Phishing Scam Targeting 2 Billion Active Accounts

Google has recently issued a security alert regarding a sophisticated phishing scam that is targeting its massive user base of 2 billion active accounts. The company has made it clear that emails coming from the address “no-reply@accounts dot google dot com” are fraudulent and have nothing to do with Google or its services. These deceptive emails are claiming that user data has been compromised or leaked and that immediate action is required, but in reality, they are part of a scam designed to steal personal information.

The Phishing Scam Explained

Over the past two weeks, users, particularly those residing in major metropolitan areas in the United States, have reported receiving emails that seem to come from a legitimate source—Google itself. The emails appear to be official communications, which makes them particularly dangerous. They encourage recipients to click on embedded links, which purportedly lead to government actions requiring access to their data. The message warns that the user’s data may contain blasphemous content or material that threatens national security, and that it needs to be reviewed by government authorities.

The email even goes as far as to claim that it is acting under a subpoena from the U.S. government, further convincing the recipient of its authenticity. However, Google has categorically stated that it does not, nor will it ever, send emails requesting users to share sensitive information such as passwords, one-time passcodes (OTPs), or biometric data. These types of requests are clear signs of phishing attempts, and users are urged to stay vigilant.

The Dangers of Clicking Links in Phishing Emails

The primary danger of these phishing emails lies in the links they contain. Clicking on these links can direct users to fake, malicious web pages that are designed to harvest sensitive information like login credentials, financial details, and other personal data. These fraudulent pages may appear convincingly real, and some even claim to be official Google or government portals. However, once the victim enters their personal information, the attackers gain full access to their accounts, putting them at risk of identity theft, financial loss, and even legal trouble.

To make matters worse, these fake web pages often carry threats of legal action against the victim, warning them of potential criminal charges related to illegal data use or internet misuse. This tactic creates unnecessary fear, pressuring victims into complying with the fraudsters’ demands.

A New Level of Deception: Using Gmail as a Gateway

In the past, cybercriminals have mostly relied on fake emails related to delivery services like FedEx, UPS, and DHL Express to lure users into clicking on malicious links. These scams typically involve fake tracking updates, pushing users to disclose their personal identifiable information (PII). However, this latest phishing scam marks a worrying escalation. Cybercriminals are now leveraging one of the most widely used and trusted services in the world—Gmail—to distribute their malicious content.

Since Gmail is an essential tool for billions of people worldwide, hackers see it as a prime target. The fact that these fraudulent emails are being sent from an email address hosted on Google’s own servers adds an alarming layer of authenticity to the scam, making it even harder for users to spot the fraud. It raises questions about whether Google needs to implement stricter security measures to prevent its own platform from being used as a vehicle for such attacks.

Google’s Response and User Advice

Google has advised all Gmail users to remain cautious and not to click on any links or follow instructions in emails that request personal information or seem suspicious in nature. The company strongly recommends that users report any phishing attempts and delete such emails immediately.

Furthermore, users are encouraged to keep their devices up-to-date with the latest security patches and use strong, reputable anti-malware solutions to protect themselves from threats. This includes ensuring that their operating systems, browsers, and other software are fully updated to patch vulnerabilities that could be exploited by attackers.

Conclusion: Staying Safe in a Digital Age

With cybercrime continuing to evolve, it’s more important than ever to be aware of phishing scams and the tactics used by cybercriminals. While Google has taken steps to warn its users, the responsibility ultimately lies with individuals to stay informed and cautious. By remaining vigilant and adopting good cybersecurity practices, users can better protect themselves from falling victim to these ever-growing threats.

Despite Google’s efforts to safeguard its platform, the fact that phishing emails are being sent from its own servers underscores the need for further action and security enhancements. As we continue to rely on digital services, maintaining a high level of awareness and security is essential to avoiding scams and protecting our personal data.

The post Google Warns Users About Phishing Scam Targeting 2 Billion Active Accounts first appeared on Cybersecurity Insiders.

The post Google Warns Users About Phishing Scam Targeting 2 Billion Active Accounts appeared first on Cybersecurity Insiders.

May 21, 2025 at 11:11AM

Read More

It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity

Database expert Dominik Tomicevic highlights the limitations of traditional cybersecurity defense methods and why knowledge graphs could be a better avenue for the CISO to pursue 

Data shows that the global cost of cybercrime will soar by four trillion dollars over the next four years, rising from $9.2 trillion in 2024 to an estimated $13.9 trillion by 2028. Does this mean organizations must simply accept cyberattacks, malware, phishing, and other threats as endemic and ever-growing challenges?

Not necessarily. Greater vigilance and innovation in cybersecurity strategies can change the trajectory. While embracing digital technologies and the cloud has undeniably boosted convenience and productivity, it has also introduced significant vulnerabilities. Increasing reliance on open-source libraries to speed development—rather than building all code in-house—has, in turn, exposed organizations to new and serious risks.

Traditional cyber methods don’t work anymore

But the benefits are simply too great to ignore. The drive toward digital, online, and cloud-based operations is unstoppable, as is the growing reliance on externally sourced or AI-generated code. The problem is that most current cybersecurity methods fall short because they rely on models that are too rigid—both in how they represent the world and how they adapt to change. This is where developers we work with have identified a better way to help curb these dangers, at least to some extent.

The reason current systems of record for cyber vulnerabilities often falter is that they are built on the relational data model, which functions much like a “phonebook.” A phonebook offers a static, alphabetical list of individuals—but real life is far more complex, shaped by friendships, families, workgroups, rivalries, and constantly evolving relationships. Static models simply can’t capture the dynamic nature of modern digital environments.

Attackers understand this. They don’t exploit static lists—they target the living, breathing web of human connections. In other words, they aren’t studying organizational charts or formal hierarchies; they focus on the real-world links between people, creeping through systems to exploit user permissions not in isolation, but as gateways into broader networks.

This is why social engineering is so effective. If one person is compromised, who else might be vulnerable? What systems do they access? Who do they interact with daily? Attackers are disturbingly good at tracing these pathways—and exploiting them to devastating effect.

There’s another key limitation with the phonebook model—or more technically, with traditional relational approaches to cybersecurity: speed. Moving fast is essential, but modeling real-world complexity with relational databases requires many JOIN operations, which quickly become computationally expensive. In a multi-step attack, it might take 10 to 20 JOINs just to assemble a clear picture, and by then, the process could either time out or consume so many resources that it becomes impractical.

Trying to defend against adversaries who map and exploit dynamic relationship networks is incredibly challenging. A bad actor can quietly slip in a change request to open port 40 in a cloud security configuration, and in a highly connected system, that single move could silently unlock 1,000 other doors—with no clear way of knowing where they are.

The key element in the security war is relationships

That’s not just a vulnerability. That’s a nightmare. What’s becoming clear is this: a better way to understand the complex relationships and interdependencies within cyberspace could not only strengthen defensive postures, but also enable faster, more decisive action.

In response, more and more organizations—whether protecting their own systems or building cybersecurity solutions—are turning to graph-based approaches to model relationships and information. After all, every employee’s access to business services and systems creates a connection—a relationship—between individuals and the resources they use.

Player No 2 has entered the game

Which is why graph technology matters: it models systems clearly and powerfully by representing users, systems, and data as nodes, and the permissions and connections between them as edges. This “graph thinking” isn’t new—it’s exactly how attackers view your environment during penetration testing. They don’t see a flat network; they see a connected web of relationships and look for paths they can exploit to move laterally.

Graph technology allows defenders to adopt the same perspective before threats emerge. At its core, graph technology is about relationships—and whether it’s employees and devices, users and applications, or systems and services, a graph database can accurately capture the complex way your organization truly operates.

Crucially, graph technology doesn’t just deliver better visibility—it also dramatically improves speed of response. Because graphs eliminate the need for complex queries and costly JOIN operations, problems can be solved on a linear, not logarithmic, timescale. Connections can be mapped in seconds, not hours, giving security teams the clarity and agility they need to stay ahead of threats.

So where does AI fit into this picture? The next natural evolution is leveraging machine learning, AI, and advanced data techniques. A graph-based approach not only strengthens cybersecurity today, it also lays a powerful foundation for future AI initiatives, enabling faster, smarter, and more adaptive defenses.

The potential of a graph-based approach to navigating the intricate network of relationships that underpin cybersecurity challenges is immense. However, without adopting smarter, more adaptive cybersecurity strategies, both businesses and society will continue to fall behind in the relentless battle against cyber threats—threats that often understand our systems and vulnerabilities better than we do ourselves.

The author is the CEO of knowledge graph leader Memgraph

The post It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity first appeared on Cybersecurity Insiders.

The post It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity appeared first on Cybersecurity Insiders.

May 21, 2025 at 10:18AM

Read More

UK Cyber Crime takes a new turn towards TV show the Blacklist

Cybercriminals in the UK have recently shifted their attention to a new, high-profile target: UK retailers. This marks a significant escalation in the threat landscape, where digital criminals are now turning their focus on disrupting major businesses. In a bizarre twist, these groups seem to have taken inspiration from The Blacklist, a hit TV show that gained popularity after its 2013 debut. The show, which became especially popular with younger audiences, might have unwittingly inspired the name choices of these cybercriminals, who now associate themselves with the notorious characters of Raymond “Red” Reddington and Dembe Zuma, despite having no actual connection to the producers or actors behind the series.

One of the latest victims, the Co-Op, has failed to meet the ransom demands set forth by the DragonForce ransomware group. This refusal has prompted the hackers to announce their intentions to leak the stolen data on the dark web. Worse still, they are reportedly prepared to sell this information to verified parties who are willing to pay for it. This move underscores a disturbing trend of increasing sophistication in cyberattacks, with ransomware gangs now using stolen data as a commodity on the black market.

Financial Fallout for Retailers and CEOs

The ripple effects of these cyberattacks are not limited to the technical side of operations but extend to the financial health of companies. Stuart Machin, CEO of Marks and Spencer, revealed the significant economic impact his company faced when it became embroiled in the latest wave of cybercrime. The retailer’s share prices plummeted by 15%, and as a consequence, Machin’s personal compensation is expected to take a substantial hit, with a projected £1.1 million reduction in his pay.

This serves as a stark reminder of how cyberattacks can create widespread financial repercussions, not just for the companies themselves but also for top executives who are often held accountable for the company’s performance.

NHS England Takes Preventive Measures Amid Rising Threats

As these threats loom larger, NHS England has been actively urging companies—particularly those in critical infrastructure sectors—to strengthen their cybersecurity defenses. Experts within the healthcare sector have warned that ransomware groups like DragonForce could strike not just once but multiple times, wreaking havoc on both public and private entities. To address this, NHS England has developed a new cybersecurity charter aimed at countering the growing ransomware threat. While the framework itself is not groundbreaking—many similar initiatives already exist globally—the NHS’s focus on collaboration and unified action across organizations is a step in the right direction.

Cybersecurity experts agree that it is no longer a matter of if an organization will be attacked, but when. The emphasis is shifting towards preparedness and resilience, ensuring that businesses can weather these attacks without losing critical data or facing prolonged operational disruptions.

The Co-Op’s Digital Disruption: A Misleading Report?

In a surprising twist, the Co-Op, which initially denied any impact from a cyberattack, has faced significant operational disruptions. Early reports suggested that a configuration error, rather than a cyberattack, had caused a shutdown of the retailer’s digital systems. However, this technical mishap had far-reaching consequences. It severely impacted the company’s supply chain and logistics functions, leading to widespread shortages in deliveries—a scenario that often mirrors the aftermath of a full-scale cyberattack. This confusion has only added to the complexity of the situation, with many questioning whether the incident was indeed a case of poor configuration or whether there was more to the story than meets the eye.

DragonForce: A Ransomware Group with a Unique Twist

To wrap things up, while the criminal activities of the DragonForce group are undeniably alarming, it’s worth noting that they have chosen to link their identity to the characters from The Blacklist. This strange connection has no bearing on the actual content of the show, nor any direct involvement with its creators. However, the group’s decision to associate itself with figures like Raymond Reddington and Dembe Zuma speaks to the growing trend of cybercriminals branding themselves in ways that make their attacks seem almost theatrical. It’s as if the cyber underworld is using popular culture references to cultivate an aura of mystique or even intimidation.

As ransomware attacks continue to evolve in both scale and sophistication, the cybersecurity community, businesses, and consumers alike must remain vigilant and proactive in safeguarding their digital infrastructures. The risk is real, and the stakes are higher than ever.

The post UK Cyber Crime takes a new turn towards TV show the Blacklist first appeared on Cybersecurity Insiders.

The post UK Cyber Crime takes a new turn towards TV show the Blacklist appeared first on Cybersecurity Insiders.

May 20, 2025 at 10:54AM

Read More

Ransomware’s Next Target: Strengthening Critical Infrastructure Against Emerging Cyber Threats

Ransomware increasingly targets critical infrastructure, threatening essential services and national security. Over 66% of critical infrastructure organizations in the US have faced attacks in the past 12 months, some experiencing over 100. As these attacks grow more frequent and sophisticated, organizations struggle to secure their networks. Legal and financial risks are rising, with 36% of victims paying ransoms, sometimes violating laws. There is an urgent need to adopt defense strategies to protect sectors like energy, transportation, and healthcare from major disruptions.

Unseen Vulnerabilities in Critical Infrastructure

Ransomware not only exploits known vulnerabilities but also broader gaps, such as poor configuration, outdated systems, and weak security monitoring. A common issue is neglecting basic security practices like the CIS (Center for Internet Security) benchmarks.

Many organizations implement these benchmarks but fail in ongoing management and real-time risk assessments. For instance, IT may approve changes without assessing the impact on security, lowering protection and leaving assets exposed. Many systems lack real-time monitoring, allowing ransomware to exploit unnoticed gaps.

Sector-Specific Weaknesses in Energy, Transportation, and Healthcare

The energy, transportation, and healthcare sectors are particularly vulnerable due to legacy systems and large networks of interconnected devices. Energy companies often rely on outdated industrial control systems (ICS), which are hard to patch without operational disruptions. Similarly, healthcare uses older software incompatible with modern security protocols, exposing them to attacks that can cause service outages or compromise patient data.

The financial toll is steep. The 2024 Cost of a Data Breach Report shows the average breach now costs USD 4.88 million, and disruptions in essential services amplify the impact.

The transportation sector also faces vulnerabilities, with its vast networks of vehicles, sensors, and communication systems offering numerous entry points. Without strong segmentation, breaches can spread across the entire network.

The Evolution of Ransomware Tactics

Ransomware has evolved from simple file-locking schemes to sophisticated, multi-faceted operations. Modern groups use techniques like phishing, privilege escalation, and lateral movement across networks to maximize damage. They’ve also shifted from targeting files to exploiting weaknesses in identity and access management (IAM) systems, using stolen credentials to disrupt operations.

AI and machine learning (ML) now enable attackers to automate attacks, identify vulnerabilities, and move laterally within networks much faster, making detection and containment harder and increasing the potential damage.

Proactive Defense Strategies

To combat sophisticated ransomware, organizations need proactive defense strategies that go beyond traditional cybersecurity. One approach is Zero Trust Architecture (ZTA), which assumes no one inside or outside the network can be trusted by default, requiring strict identity verification and continuous monitoring. This limits lateral movement, preventing full access even if part of the system is breached.

AI and ML-powered threat detection can spot suspicious activity in real-time, analyzing patterns and identifying anomalies to flag potential attacks. Deception techniques, where attackers are lured into fake environments, also help study strategies while minimizing risk.

Preparing for the Quantum Security Threat

While most organizations are focused on current ransomware tactics, an emerging threat looms on the horizon: quantum computing. The arrival of “Quantum Day” (Q-Day)—anticipated to arrive by 2030—will mark a seismic shift in cybersecurity. By Q-Day, quantum computers will be capable of decrypting today’s widely used encryption algorithms in a fraction of the time it currently takes. This could render much of the world’s existing cryptography obsolete overnight.

While this future may seem distant, attackers are already preparing for it. Sensitive data that is stolen today could be stored for future decryption, once quantum computers become more powerful. Critical infrastructure organizations cannot afford to ignore quantum security risks, even if they don’t yet face an immediate threat.

To safeguard against this, organizations need to transition to post-quantum cryptography, a set of algorithms designed to resist quantum-based attacks. The first step is for businesses to identify which of their assets are most vulnerable to quantum risks. This process, referred to as a crypto CMDB (Configuration Management Database), involves mapping out critical data and determining what kind of encryption is currently being used. Only then can organizations begin upgrading their encryption protocols to quantum-resistant standards.

Enhancing Cyber Resilience

Beyond defense, organizations must focus on cyber resilience—preparing for attacks while ensuring business continuity. This requires not only defense but also planning for operations during an attack. Regular risk assessments, penetration testing, and vulnerability management are key to a resilient cybersecurity framework.

Frequent testing of backup and recovery systems ensures they work during ransomware attacks. Network segmentation is crucial to stop ransomware from spreading. Isolating critical assets and monitoring network traffic can limit damage if an attack occurs.

The Importance of Collaboration and Innovation

The growing ransomware threat, along with quantum security challenges, highlights the need for stronger public-private collaboration. Governments, industries, and cybersecurity firms must unite to establish cybersecurity standards and create advanced defense solutions. Public-private partnerships can drive innovation, keeping organizations ahead as ransomware tactics evolve.

Strengthening critical infrastructure requires a multi-layered approach, combining proactive defense, cyber resilience, and quantum security preparation. Focusing on these areas will help organizations protect essential services and national security while staying ahead of attackers.

In conclusion, it is important to think security in every stage of design and implementation and be aware that this a cat and mouse game and hence, we need to be constantly vigilant and continuously modifying as new methods of attack get invented! 

The post Ransomware’s Next Target: Strengthening Critical Infrastructure Against Emerging Cyber Threats first appeared on Cybersecurity Insiders.

The post Ransomware’s Next Target: Strengthening Critical Infrastructure Against Emerging Cyber Threats appeared first on Cybersecurity Insiders.

May 20, 2025 at 07:16AM

Read More

Scam Messages and emails increase exponentially after M & S Cyber Attack

A recent cyberattack on Marks and Spencer (M&S) has raised significant concerns, revealing that hackers infiltrated the UK-based retailer’s systems almost a week before the breach was discovered. The attack, which was first detected a couple of weeks ago, exploited a vulnerability created by human error, compromising the personal data of nearly 9.4 million active customers.

Initial investigations suggest that while the hackers gained access to sensitive information, such as order histories, dates of birth, and some payment card details (excluding CVV numbers), they did not manage to steal complete payment card data. In fact, the retailer’s IT department clarified that only certain usable card information may have been exposed, but crucial security elements like CVVs remained protected.

CEO Stuart Machin reassured customers, explaining that although the breach might have disrupted online ordering, the hackers did not access full payment card details. He further emphasized that such data is not stored long-term on M&S servers, with archives holding payment information for a maximum of 24 hours. Machin expressed confidence that the company’s technical team would restore services by the end of the month.

The attack, attributed to the DragonForce ransomware gang, is having ripple effects beyond M&S’s digital operations. Many of the retailer’s physical stores across the UK are experiencing severe product shortages, as panic buying escalates among consumers. The gang behind the attack, believed to be affiliated with the Scattered Spider cybercriminal group, is demanding a ransom of $4 million. However, M&S has made it clear that it will not be entertaining these demands.

The impact of the breach has extended to customers, with some reporting an increase in spam calls and emails. These types of cyberattacks often result in data leaks that can fuel spam campaigns, as hackers may use the stolen information for targeted scams. Despite efforts by email providers and telecom companies to mitigate these issues, customers are urged to remain vigilant. They should avoid downloading any suspicious applications or software that could potentially carry malware.

As the situation unfolds, both M&S and its customers are left to contend with the aftermath of a costly and disruptive cyberattack.

The post Scam Messages and emails increase exponentially after M & S Cyber Attack first appeared on Cybersecurity Insiders.

The post Scam Messages and emails increase exponentially after M & S Cyber Attack appeared first on Cybersecurity Insiders.

May 19, 2025 at 10:37AM

Read More

Experts React: Coinbase Discloses Breach, Faces Up to $400 Million in Losses

Coinbase, one of the largest cryptocurrency exchanges, has disclosed a significant data breach that exposed sensitive customer information, including government-issued IDs. The attackers contacted Coinbase on May 11, demanding a $20 million ransom to prevent the public release of the stolen data.

The breach could result in losses of up to $400 million, depending on regulatory fines, legal actions, and customer compensation. Coinbase has launched an internal investigation and is cooperating with law enforcement. It has also notified affected customers and offered support.

The implications of the Coinbase breach are significant for crypto users and investors, spanning financial, regulatory, and trust-related concerns.

For crypto users, the risks are substantial. If government-issued IDs and personal data were stolen, users could face identity theft, phishing attacks, or SIM swapping. This could lead to unauthorized access to other financial accounts or crypto wallets. Users may lose confidence in Coinbase’s ability to protect their data, prompting them to move assets to other platforms or cold storage. Coinbase might implement stricter security protocols or temporarily limit certain services, affecting user experience. Affected users might be eligible for compensation or become part of class-action lawsuits.

For investors, the breach could lead to stock price volatility. Publicly traded companies like Coinbase (COIN) often see sharp stock price drops after breaches due to shaken investor confidence. The breach could trigger investigations by the SEC or other regulators, potentially leading to fines or new compliance requirements. Coinbase will likely need to invest heavily in cybersecurity upgrades, legal defense, and customer support. Long-term brand damage could reduce user acquisition and retention, impacting revenue growth.

David Stuart, Cybersecurity Evangelist at Sentra, commented on the breach, saying, “The Coinbase breach highlights the growing challenge of protecting sensitive customer data in highly interconnected digital ecosystems. Financial platforms, in particular, carry an outsized responsibility to safeguard personal and financial information against increasingly sophisticated threats. Full visibility into where sensitive data resides, how it moves, and who can access it is essential, especially as data spans cloud, SaaS, and third-party environments. Without continuous monitoring, access governance, and proactive risk management, even well-defended systems can become vulnerable. Organizations must prioritize a data-first security model that ensures sensitive information remains protected at every layer, beyond just perimeter defenses.”

Clyde Williamson, Senior Product Security Architect at Protegrity, added, “Coinbase says the affected customer base impacted in this attack is less than 1% of its 9.7 million customers to minimize the impact. That’s still around 1 million people whose sensitive information has been compromised, and the financial damage to Coinbase itself isn’t small. Malicious actors can do significant damage with your name and contact information; imagine what they’ll do with masked bank information and Social Security numbers. This attack was only possible because contractors and support personnel were allowed access to this information. This was an entirely avoidable situation on Coinbase’s part, and now they’re expecting the customers who trusted the organization with their highly sensitive information to perform damage control. It’s great that Coinbase was legally required to disclose this attack quickly, but those customers will be haunted by this breach. Disclosure without real action is data security’s ‘thoughts and prayers.’ Consumers deserve better than to live in constant fear of their data.”

The breach underscores the critical need for robust cybersecurity measures to protect sensitive customer information..

 

The post Experts React: Coinbase Discloses Breach, Faces Up to $400 Million in Losses first appeared on Cybersecurity Insiders.

The post Experts React: Coinbase Discloses Breach, Faces Up to $400 Million in Losses appeared first on Cybersecurity Insiders.

May 19, 2025 at 09:46AM

Read More

Mitigating Insider Threats and Zombie Accounts Amid Workforce and Contract Changes

The recent Twitter data leak, which exposed the personal information of 2.8 billion users, serves as a stark reminder of the vulnerabilities organizations face when disgruntled employees or contractors retain access to sensitive systems. This incident, suspected to be an insider job, underscores the critical importance of managing security and business risks potentially arising amidst workforce volatility. It is an especially important issue nowadays, as companies navigate massive layoffs and contract terminations.

When employees, contractors, or vendors leave an organization, their access to team services and applications must be promptly revoked. Failure to do so can leave “zombie” accounts — dormant accounts that remain active and act as security vulnerabilities. CISOs must always operate with a risk-aware mindset, assuming worst-case scenarios could happen and building policies, technologies, and processes to mitigate those risks.

Insider Threats from Disgruntled Employees

Disgruntled former employees can pose serious insider threats, including cybervandalism or selling their credentials to hackers. These risks extend beyond cybersecurity breaches to compliance liabilities under regulations such as SOX, GDPR, or HIPAA.

A notable example occurred in 2023 when two former Tesla employees leaked the personal data of tens of thousands of current and former employees to a German newspaper. Additionally, there is growing concern about disgruntled workforce potentially deploying AI agents or RPA bots within financially significant ERP systems to exfiltrate data or revenue to offshore bank accounts after their access is removed.

The Prevalence and Risks of Zombie Accounts

Moreover, dormant “zombie” accounts left enabled after termination are a common one attack vector for cyber criminals. Attackers may use brute-force attacks to guess passwords, hoping to find accounts lacking Multi-Factor Authentication (MFA), so that they can gain unauthorized access and start moving laterally within an organization’s systems. If successful, it is harder to detect attackers compromising accounts of former employees than existing ones.

The Verizon Data Breach Investigations Report 2024 highlights that the use of stolen credentials has appeared in almost one-third (31%) of all breaches over the past decade. For instance, last year, a hacker gained access to internal company tools using stolen credentials from a former employee at Tile, a leading Bluetooth location-tracking device vendor, breaching multiple systems and stealing sensitive data – a stark example of the severe consequences of delayed incident response in the case of a stale account compromise.

Identity Hygiene Measures

Proper identification of all human identities with access to an organization’s services and applications is crucial for assessing risk posture. This involves maintaining an inventory of applications, ideally sorted by risk to the organization, to facilitate the termination of access to these assets. These practices align with the NIST Cybersecurity Framework (CSF) 2.0’s “Identify” core function, which emphasizes the importance of understanding and managing cybersecurity risks.

Even with the above controls in place, organizations might still face increased security risks when offboarding a high volume of employees. As employees’ roles change throughout their careers, their access permissions might not be updated properly — especially for those who were granted elevated or emergency access that may not have been documented — increasing the risk of oversight during de-provisioning.

Best practice dictates that application account logins for terminated workforce members should be disabled in coordination with HR notifying the individual, and no later than 24 hours after notice. However, in modern enterprises where dozens—if not hundreds—of applications are in use, each potentially requiring separate credentials or permissions, oversights are not uncommon, exposing the organization to security risks. This risk is particularly high in companies lacking modern identity security and access governance automation.

Without automation, IT teams must manually revoke every access permission tied to each application, increasing the chance of human error, which might take weeks. With an automated identity governance solution, deprovisioning can be triggered by changes in an employee’s HR status. This ensures immediate and complete revocation of access, minimizing human error and reducing the deprovisioning time from weeks to just a couple of days—or even instantly.

Overall, identity hygiene best practices involve several stages on the path to mature identity governance. This starts with clear policies on how users are granted and maintain access to systems, progresses to basic automation for provisioning and access reviews, and culminates in application governance automation. The latter advanced approach enables automated provisioning by continuously monitoring the risk associated with access—both when it’s initially granted and during periodic reviews—and restricting it further through the use of emergency access management controls. With such an approach in place, massively offboarding people would become just another routine task for an organization.

 

The post Mitigating Insider Threats and Zombie Accounts Amid Workforce and Contract Changes first appeared on Cybersecurity Insiders.

The post Mitigating Insider Threats and Zombie Accounts Amid Workforce and Contract Changes appeared first on Cybersecurity Insiders.

May 19, 2025 at 08:21AM

Read More