The Ashley Madison (AM) data breach and subsequent publishing of email addresses and hashed passwords should cause more than a few IT managers, attorneys, and CxOs some worry. People often use the same password for a number of websites and services. This could mean an AM user who signed up for his (let’s not kid ourselves) account used the same password he used for work services. In our opinion, this is a risk that needs to be addressed.
We won’t get into the ethics or individual perspectives on “what type of person an AM user is”. What we will do is describe how you can address the risk of someone in your firm using a work email address for AM or any other breached site.
This exercise is valid for any data breach where the information from the breach has been shared online. It is not limited to the AM breach.
First, we need to review the list of email addresses in the breach. You can do this using one of the Google-able sites allowing you to check by email address or by downloading the data yourself. If you choose the latter, you’ll need some database tools to manage the process.
Next, let’s say you identify one of your corporate email addresses, [email protected]. You can create a new email address for John Doe, migrate his old mail to the new mailbox, and then remove the old email address.
Next, let John know his email account may have been compromised and give him the new credentials. Of course, you make sure he chooses a new, rigorous password. There’s no need to inform John of the AM search & discovery. It is true his account may have been compromised.
Mission complete. Now, it is up to you to pursue any employee morality clause…
If you are interested in learning more about the latest attempts at cracking the passwords, you might want to have a look at this article: trying to decrypt the passwords.