Small businesses with inadequate IT support, which rely on single sign-on credentials for access to e-mail, accounting software and customer relationship management (CRM) platforms, are the most at risk from a data breach containing 24 billion records, say two experts.
Cybernews researchers found an exposed Elasticsearch cluster – a high-performance database that stores, indexes and rapidly searches massive volumes of structured data – containing 24 billion records and more than 8.3TB of data. The database was exposed to the internet because of a configuration error, it says.
Most records appear to be infostealer logs, including usernames, e-mails, passwords and login URLs drawn from 36 sources, including Telegram channels and breach compilations. The database is no longer publicly exposed, but reused passwords may still put accounts at risk, says Cybernews.
Jacqui Muller, Belgium Campus iTversity researcher and PhD candidate in computer science, says: “For many South African SMEs, the greatest risk is not necessarily the business application itself, but the Google or Microsoft account employees use to access it.”
Many organisations rely on single sign-on, allowing staff to log into multiple business services using the same Google or Microsoft credentials, says Muller. “If that primary account is compromised and is not adequately protected with multi-factor authentication (MFA), an attacker could potentially gain access to every connected platform, from ERP and accounting software, to CRM, collaboration and cloud services.”
One key, every door
Muller explains that this makes ERP platforms particularly attractive targets because they are at the centre of finance, procurement, payroll and supplier management. While most major ERP vendors support MFA, it is the customer that decides whether and how it is enforced – which could result in two companies using the same software having very different security levels.
“SMEs are often more exposed because they may lack dedicated IT security resources and do not consistently enforce MFA across identity provider accounts or require it at every login,” says Muller.
Many organisations also rely on location-based or “trusted location” policies, where users signing in from familiar geographic areas face fewer authentication checks, Muller explains. “However, attackers can spoof or route their traffic through the same geographic regions, reducing the effectiveness of location alone as a security control.”
Not a commodity
Linda Morris, director of Smart Technology Centre, says the exposure highlights a more fundamental shift: organisations must now assume credentials are already compromised and design security around identity as the primary attack surface.
“In practice, this means moving beyond password hygiene to enforcing conditional access, securing endpoints against infostealer malware, and continuously monitoring for exposed credentials and abnormal login behaviour.”
Morris adds that too many organisations still treat IT as a commodity chosen on price, yet expect resilience when things go wrong.
“With the rise of AI and increasingly automated attacks, we need to start treating IT and cyber security as certified, professional disciplines, with defined standards, accountability and recognised expertise. A race to the lowest price undermines security. Now is the time for the industry to mature,” says Morris.
Share
