What’s the fastest way for a cybercriminal to get into a company’s environment and cause chaos? If you answered “a stolen legitimate password”, you’re right. Cybercriminals love nothing more than getting their hands on an employee password that lets them slip into systems undetected to steal data, deploy ransomware or work other mischief – especially a privileged administrator or executive password. Unfortunately for businesses, bad actors can often accomplish their goal without phishing. It’s become easier than ever for them to make that dream a reality thanks to the boatload of password data that has traveled to the dark web. But there are a few things every organization can do to keep their company passwords safely in-house instead of on the dark web.

The dark web has always been a clearinghouse for passwords. As the years have gone by, more and more stolen records, passwords, financial information and other data has made its way to the dark web through myriad data breaches. It’s a vicious cycle. Every new breach brings a fresh influx of data into the pool, and every influx of data can spawn a new breach. This pattern will keep on repeating, making the danger of credential compromise bigger every year. Credentials were the top type of information stolen in data breaches worldwide in 2020, and cybercriminals were quick to capitalize on their successes. An estimated 20 billion fresh passwords made their way to the dark web last year. 

This year’s giant influx of fresh passwords from events like the RockYou 2021 leak just keeps priming the pump for new cybercrimes, especially password-fueled schemes like credential stuffing, the gateway to all sorts of bad outcomes like ransomware, and business email compromise, the most expensive cybercrime of 2020.  Earlier this summer, the personally identifying data and user records data of 700M LinkedIn users appeared on a popular dark web forum – more than 92% of LinkedIn’s estimated total of 756M users. That created an enormous splash that will ultimately ripple out into a whole new world of opportunity for cybercrime. 

Big companies aren’t doing any better. In a 2021 study, researchers found the passwords for 25.9 million Fortune 1000 business accounts floating around on the dark web. If cybercriminals felt like they really needed a privileged password to get the job done, that wasn’t a problem either. Credentials for 133,927 C-level Fortune 1000 executives were also accessible to bad actors on the dark web. Altogether, researchers determined that over 281 million records of personally identifiable information (PII) for employees of Fortune 1000 companies were readily available in dark web markets and dumps, making it easy for bad actors to find and use in hacking and fraud operations. 

Far and away, password reuse and recycling is the biggest obstacle that companies face when trying to build a strong cybersecurity culture and keep their data safe. An estimated 60% of passwords that appeared in more than one breach in 2020 were recycled or reused, a factor that every company should keep in mind when creating and setting password security policies. Employees aren’t making the mistake of reusing passwords from ignorance either. Over 90% of participants in a password habits survey understood the risk of password reuse but that didn’t stop them because 59% admitted to doing it anyway that disconnection is a huge problem for businesses everywhere. 

Bad Password Hygiene is Putting Your Data in Danger 

• More than 60% of employees use the same password across multiple work and home applications. 
• 82% of workers admitted sometimes reusing the same passwords and credentials 
• 44 million Microsoft users admitted in a survey that they often use the same password on more than one account 
• 43% of Microsoft’s survey respondents have shared their work password with someone in their home for another use 
• About 20% of employees have reused their work password for online shopping, social media or streaming accounts 

That sloppy password handling is directly responsible for data breaches. In fact, over 30% of the respondents in Microsoft’s survey admitted that their organization has experienced a cybersecurity incident as a result of compromised user credentials that had been shared with people outside their companies. That danger has grown. People worldwide created an average of 15 new online accounts per person during the main thrust of the pandemic. That’s a lot of new passwords to create and remember. It also means that many more passwords were recycled or reused in 2020 than in past years making password exposure through cybercrime a strong possibility.

Source: ID Agent