Cybersecurity professionals who lament senior executives’ lack of interest in threat protection will find little to cheer about in new findings released Friday by software security firm Comodo Group Inc.

Researchers in the company’s Threat Intelligence Lab went to the dark web, a shady part of the Internet accessible through special software called Tor, to purchase the logins that 388 Equifax Inc. employees used for third-party accounts on social media and file-sharing sites. They found that numerous executives, including the chief privacy officer and chief information officer, were using simple passwords like spouse names, city names or combinations of initials and birth year. Among the passwords they discovered were “homer1, brooklyn and rosemary.”

Equifax’s chief privacy officer, CIO, vice president of public relations and vice president of sales were all found to have used lowercase letters without special symbols and easily guessed words to access third-party websites. “This is shocking for a large company that protects the sensitive information of millions of consumers,” the researchers wrote in a blog post.

Equifax clearly wasn’t happy about this either. Late Friday, the company announced the retirement, “effective immediately,” of CIO David Webb and Chief Security Officer Susan Mauldin.

Comodo also determined that attackers stole user credentials using the Pony Trojan, a form of malware that’s commonly used to steal login credentials. Upon gaining access to the computer, the malware transmits credentials for more than 90 commonly used applications to the attackers, then deletes itself. Not surprisingly, researchers found evidence that attackers had breached third-party services such as LinkedIn, Forbes.com and Last.fm using employee accounts with passwords they described as “alarmingly simplistic.”

Information about login credentials for internal Equifax applications wasn’t available, but weak security on third-party sites is nearly as much of a vulnerability. For one thing, many people use the same password across multiple sites, which may leave their accounts vulnerable elsewhere. Attackers can also hijack executive identities and use them to post embarrassing information or to gain access to sensitive information through social engineering.

The findings are also an indictment of third-party services that continue to permit users to sign on with weak passwords. Standard security practices require, at the minimum, a mix of uppercase and lowercase letters, combined with special characters and numerals. These can be enhanced by  two-factor authentication or algorithms that limit the use of common substitutions or character repetition.

Despite the fact that passwords are involved in an estimated 80 percent of cyberbreaches and that best practices for creating secure passwords are well-known, many users still default to using simple credentials across many websites. An audit of 10 million stolen credentials by Keeper Security Inc. last year found that 17 percent of users safeguard their accounts with the password “123456.” That was followed closely by “123456789,” “qwerty” and “12345678.”

Image: Flickr CC