August 13, 2012, 12:55 PM —
You can read about Zappos’ CEO Tony Hsieh on the company’s Web site-- about how he sold his first company, LinkExchange to Microsoft in 1999, at the age of 24, and joined Zappos as an advisor and investor, eventually rising to the company’s top post. What you might not learn is that Tony is an exercise enthusiast who gets his gear from Nikeplus.com, watches his favorite shows on the Internet streaming site Hulu, keeps up with his friends on Facebook and checks the value of his Amazon.com stock (Amazon bought Zappos in 2009) at Marketwatch.com. That lesser known information about Hsieh – a treasure trove for hackers -- is public, all the same: leaked from e-commerce and social networking sites linked to the CEO’s @zappos.com e-mail address.
Hsieh is hardly alone. A newly released analysis by security researcher Cesar Cerrudo found that executives like Hsieh, including many at Fortune 500 firms, frequently use their business e-mail addresses to access a wide range of prominent social media web sites. The practice, while not a security breach, leaves a potentially damaging trail of clues for sophisticated hackers and cyber criminal’s intent on gaining access to the executives’ computers and corporate accounts.
Cerrudo, the Chief Technology Officer of security firm IOActive Labs, scanned 30 prominent Web sites, uncovering 840 unique e-mail addresses of C-level corporate executives linked to 930 online accounts. They include 42 Facebook accounts linked to e-mail accounts for executives of firms such as oil giant Chevron, blue chip firm GE and financial services firms Chase.com and Morgan Stanley. Robert Iger, the CEO of Disney, uses his corporate e-mail to log in and watch movies on Netflix. Denise Morrison of Campbell’s Soup used hers to connect with friends on Facebook and make travel plans with United Airlines. Despite their deep rivalry, Steve Ballmer of Microsoft and Tim Cook of Apple both have accounts at the cloud-based file sharing service Dropbox.com linked to their corporate e-mail address, Cerrudo’s data suggests.
[ Check out Cesar Cerrudo's Black Hat presentation, "The leaky web: Owning your favorite CEOs" ]
IOActive Security scanned 30 prominent web sites uncovering 840 unique email addresses of C-level executives linked to 930 online accounts. Here's the breakdown by site category and linked accounts.
|Site /category||Number of online accounts that were linked to||Prominent sites scanned included:|
|News||241||WSJ, Washington Post, Gartner, Economist, NYT, MarketWatch, Bloomberg|
|Social networks||250||Facebook, MySpace, LinkedIn, Naymz, Plaxo, Twitter|
|Entertainment||43||Hulu, Netflix, Sony|
|Airlines & Travel||52||ua2go, Orbitz|
|Hotels||43||Accor Hotels, Starwood Hotels|
|Sports Gear||38||NikePlus, Garmin|
For his survey, Cerrudo chose C-level executives from Fortune 500 companies, and other prominent firms. He used an automated crawler to check the Web sites for accounts linked to the executives' e-mails. Active accounts at the sites could be “silently enumerated,” Cerrudo found – leaked in response to an automated login attempt or through password recovery features.
Some of the online watering holes he checked were, predictably, popular with the board room set. They include the web sites of The Wall Street Journal, Bloomberg News, MarketWatch.com and The New York Times. Accounts at web sites for hotels and airlines such as United and Starwood Hotels were frequently linked to the accounts of travel heavy senior executives, as well.