Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward

Why Employees Really Shouldn’t Use Their Work Emails for Dating Sites

September 21, 2016, 2:00 PM UTC
Homepage of Ashley Madison website displayed on iPad, in photo illustration taken in Ottawa
The homepage of the Ashley Madison website is displayed on an iPad, in this photo illustration taken in Ottawa, Canada July 21, 2015. Canada's prim capital is suddenly focused more on the state of people's affairs than the affairs of the state. One in five Ottawa residents allegedly subscribed to adulterers' website Ashley Madison, making one of the world's coldest capitals among the hottest for extra-marital hookups - and the most vulnerable to a breach of privacy after hackers targeted the site. REUTERS/Chris Wattie - RTX1L9H3
Photograph by Chris Wattie — Reuters

Credentials for employees at almost all the largest organizations in the world were leaked in major data breaches, according to research by the British cybersecurity firm Digital Shadows.

To be clear, this isn’t about new breaches but rather about the big ones we already know about—those at Adobe (ADBE), LinkedIn (LNKD), MySpace, Ashley Madison, Mate1, and so on.

According to Digital Shadows, around five million of the email addresses and passwords stolen and leaked in those breaches came from work accounts associated with the 1,000 largest organizations. In total, 97% of those companies were affected.

Get Data Sheet, Fortune’s technology newsletter.

“It’s perhaps of little surprise that the breaches impacting the global 1,000 companies the most were LinkedIn and Adobe—both services that employees can be expected to sign up to such services with their work accounts,” said Michael Marriott, a research analyst at Digital Shadows, in a blog post on Wednesday. “However, there were also less expected sources.”



In the case of Ashley Madison, a well-known adultery platform, 200,000 of the leaked credentials apparently involved corporate email accounts. Work emails were also used for Mate1 and other dating sites.

Marriott tells Fortune that it was difficult to assess how many of the leaked passwords would have also worked on their associated corporate accounts as Digital Shadows does not have access to companies’ internal systems and many of the passwords were encrypted. However, it seemed likely that many passwords were re-used between corporate and third-party accounts where people used the same email addresses.

“Within the data you can see, in some incidences, password hints—sometimes ‘the usual’,” Marriott says.

Digital Shadows tries to help its corporate clients make better security decisions, which includes figuring out when to force employees to reset their passwords on their internal systems. Major data breaches can provide a good reason for such a move.

For its new research—which obviously helps tout it for business—the security firm looked at data from over 30,000 breaches that took place over the last couple years that subsequently surfaced online.

It cross-referenced that leaked information with around 20,000 domains belonging to the world’s 1,000 biggest companies and, after discounting duplicates, it arrived at the figure of five million credentials associated with work accounts.

For more on breaches, watch: [fortune-brightcove videoid=4405846301001]

According to Marriott, the most-affected companies tended to be in the U.S., U.K., mainland Europe, and Canada. Companies in the tech, financial services, healthcare, and entertainment industries were particularly affected.

Marriott notes that there wasn’t just a threat here from employees sharing the same password across internal and third-party services, but also from the nature of some of those third-party services. For example, information stolen in the Ashley Madison or Mate1 breaches could make it easier to build a profile of the user.

This could then prove useful when targeting the user in a “spear-phishing attack,” wherein the attacker sends the victim a credible-seeming email in an attempt to get him to click something he shouldn’t—thus opening the door to the company’s internal systems.