Recently, security researcher Jelle Ursem discovered a concerning data breach at Comodo, a cybersecurity company responsible for endpoint detection response.
Although no customer certificate private keys were exposed, confidential sales documents, Comodo team data (including names, contact info, photos, and personal calendars), and customer contracts were available to the public.
You may also like: Scanner or Scammer: Analysis of CamScanner Vulnerability.
Comodo used one account for its Microsoft cloud services, meaning that a single set of credentials was shared between multiple employees. The Microsoft account also lacked multi-factor authentication, meaning that any employee (or hacker) with the right credentials could retrieve Comodo’s confidential internal documents without further verifying their identity.
A software developer at Comodo with access to the shared account inadvertently uploaded the credentials to a public GitHub repository, exposing Comodo to third party actors.
Why Share an Account in the First Place?
It is expensive, time-consuming, and exhausting to create separate accounts for each employee that needs to access a company’s shared resources. Storing the resources in one shared account provides a quick and easy — albeit unsafe — solution.
Despite their convenience, shared accounts pose an immense security risk. Sharing login information among a large group of employees is antithetical to secrecy, which lies at the heart of security and authentication. At least one person in a large network of employees will almost inevitably fall victim to phishing, social engineering, MiTM, or a similar common hack, jeopardizing the entire system. Furthermore, shared credentials cannot be monitored; it is impossible to know how many current and former employees, family, or friends have access.
Shared accounts also lack accountability. During login, each employee is recognized by the system as the same user, meaning that use (and abuse) of the account’s resources cannot be definitively traced to an individual.
Multi Factor Authentication (MFA) is the “new” standard in identity and access management and requires an Out Of Band (OOB) channel that can only be associated with a single user, making MFA a unique challenge for shared accounts.
Comodo is not unique — many enterprises use shared accounts. What can companies do to improve their security?
The Solution to Shared Accounts
Privilege Access Management (PAM) solutions lock shared credentials into a repository that can only be accessed by authenticated employee accounts. Once the credentials are used, they are changed or “reset” for the next employee. Although PAM solves the challenge of shared accounts, they are expensive systems to implement, costing about $80 to $300 per machine.
Learning From Comodo’s Mistake
Comodo is a self-proclaimed “global leader in cybersecurity solutions,” yet their recent breach is indicative of extreme carelessness and oversight. In order to protect their customers, businesses — especially high-stakes cybersecurity companies like Comodo — need to approach their security more thoughtfully. Hopefully, Comodo will learn from their mistakes and will lead by example as we transition to a world increasingly reliant on secure data and safe Internet usage.