Hackers sold a United Nations employee’s stolen username and password on the dark web for $1000 to grant access to vital information about government and humanitarian work, according to reports.
Hackers were harvesting the valuable information from April to August this year.
Mike Newman, chief executive at My1Login, says, “This cyber attack on the United Nations demonstrates how valuable stolen credentials are to criminals, granting them access to important, and often confidential, information.
“In this case, a single employee’s stolen password and username allowed criminals to harvest valuable information from the UN for over five months,” he says
“This should serve as a stark warning to all organisations – passwords remain a key entry point for criminals conducting cyber attacks,” says Newman.
“To reduce the risk passwords pose, organisations need to move to passwordless authentication – the solution that reduces the need for vast amounts of passwords in the first place, while also taking the weight of responsibility away from employees and placing organisations back in control of their security,” he says.
“If passwords aren’t known, they can’t be stolen. Moving towards passwordless will reduce the number of entry points for criminals and increase organisations’ resistance to cyber attacks.”
It is believed that a hacker entered the system by using a stolen username and password for the organisation’s project management software, Umoja, which may have been purchased on the dark web.
Steve Forbes, government cyber security expert at Nominet says the compromise of data from the United Nations is concerning not just because of the potential that it could be used to conduct future cyber attacks, but also because it highlights the continued blind spot organisations can have when using third-party software.
“The fact that attackers were able to break into a software solution using stolen United Nations credentials emphasises the importance of getting cyber hygiene right at the highest level,” he says.
“Organisations need to have a complete and comprehensive overview of the third-party software they use and that their security configurations are up to the same level as on their own internal systems,” he says.
“Identity Access Management should stretch across their whole estate and not just their own networks, but also across all their third-party SaaS software so that they can have confidence that any data stored in those applications is safe and secure,” Forbes says.
“They should also regularly evaluate the types of data thats stored in these applications and the risk of it being compromised.”