In a statement from Malwarebytes, the hackers breached the internal systems by way of a dormant email protection product within their Office 365 tenant that allowed access to a limited subset of internal company emails.
“The Malwarebytes incident highlights that malicious actors are determined and will exploit any weakness in the system they can find – from out-of-use applications to the CEO’s email account. In this case, they gained access through a dormant email protection product,” says expert Shimrit Tzur-David, CSO and co-founder of Secret Double Octopus, a provider of passwordless authentication.
Poor authentication poses a huge risk to network security that can lead to enormous consequences, Tzur-David notes. “After all, over 80% of data breaches stem from compromised credentials. However, no amount of complex password policies can ever get rid of the biggest weakness enterprises face: the human factor. Of course, humans are not computers, and remembering long strings of complex passwords is difficult. As a result, many people reuse or employ weak passwords- a fact that hackers know and exploit to their advantage.”
Simply getting rid of passwords is not easy, but would stop hackers earlier in their tracks and lower the risk of being a target.
Enforcing better policies like educating employees and implementing MFA solution is crucial.