Credential compromise is a major cyberattack and breach risk for every organization that grows daily as more and more data reaches the dark web. That data includes an abundance of stolen usernames and passwords. Cybercriminals can effortlessly scoop up extensive lists of passwords in dark web markets or dumps. They can also buy credentials straight from malicious employees. There are myriad ways that credentials could be your company’s Achilles heel.

From SMBs to giant multinationals, it doesn’t matter how high-flying a company is either. Password problems will still plague them. A trove of exposed data about Fortune 1000 companies on the dark web was uncovered by researchers earlier this year, including passwords for 25.9 million Fortune 1000 corporate user accounts. Digging deeper, they also unearthed an estimated 543 million employee credentials from Fortune 1000 companies circulating on commonly used underground hacking forums, a 29% increase from 2020. Altogether, they were able to determine that 25,927,476 passwords that belong to employees at Fortune 1000 companies are hanging out on the dark web. That’s an estimated 25,927 exposed passwords per Fortune 1000 company, marking a 12% increase in password leaks from 2020.

Looking at the pharmaceutical sector as an example of the danger of exposed credentials, it’s easy to see that the password problem grows yearly. In a recent study, researchers identified more than 4.5M exposed records in approximately 10K breaches and leakages that exposed the corporate credentials of employees from the top 20 Fortune 500 pharmaceutical companies between 2018 and 2021. In a sample analysis of credential exposure for 78 executives from top pharma companies, researchers discovered that 58% of executives had had their corporate credentials, including privileged passwords, exposed in a third-party breach or leakage since 2018. Illustrating rising danger, researchers also discovered that approximately 59% of breaches and 76% of exposed records identified in the report occurred since 2020.

User credentials are the key that unlocks the door to an organization’s systems and data. Unfortunately, it’s far too easy for bad actors to get a copy of that key on the dark web:

• An estimated 15 billion unique logins are circulating on the dark web.
• The average organization is likely to have 17 login details exposed on the dark web.
• The credentials of 133,927 C-level Fortune 1000 executives are accessible in dark web markets.
• There has been a 429% increase in corporate login details with plaintext passwords exposed on the dark web since 2020.

 

• Password Reuse and Recycling is A Bad Practice. That’s Getting Worse

The average organization is now likely to have about 17 sets of login details available on the dark web for malicious actors to enjoy, and they’re making the most of those resources. An estimated 60% of passwords in more than one breach in 2020 were recycled or reused, a factor that every company should consider when creating and setting password security policies. The average adult has an estimated 100 passwords floating around that they’re using, and everyone has the potential to be a problem if they recycle them. Employees aren’t making the mistake of reusing passwords from ignorance, either. Over 90% of participants in a password habits survey understood the risk of password reuse, but that didn’t stop them because 59% admitted to doing it anyway.

That disconnect is a huge problem for businesses everywhere and a fast path to trouble. These three passwords, three reuse and recycling corollaries, bring added complications:

1. Password Sharing:

Employees are also sharing their passwords with others at an alarming rate, including those who don’t work at the same company. Over 30% of respondents in a Microsoft study admitted that their organization had experienced a cybersecurity incident due to compromised user credentials shared with people outside their companies:

• 43% of survey respondents have shared their password with someone in their home.
• 22% of employees surveyed have shared their email password for a streaming site.
• 17% of employees surveyed have shared their email passwords for a social media platform.
• 17% of employees surveyed have shared their email password for an online shopping account.

2. Malicious Insiders:

Credentials are a hot commodity on the dark web. While most username and password pairs hit the market through data breaches, organizations must remember that bad actors don’t always come from outside. Malicious insider actions like selling credentials result in an estimated 25% of data breaches. Legitimate credentials for even a tiny company can sell for a pretty penny, and the top motivator for malicious insiders to act is money. An average legitimate employee credential can go for over $3,000. But that is far from the total price a handy, privileged password, like executive and administrator credentials, can fetch in the booming dark web data markets. Those types of credentials can go for as much as $120,000, and it’s an investment that cybercrime gangs are more than happy to make.

3. Zombie Accounts:

Don’t overlook the possibility that a former employee still has a working password that allows them to access systems, accounts, and data. Companies that aren’t careful about removing access and permissions from departing employee accounts can get burned by dark web credential exposure and unauthorized user activity. In a 2021 study, researchers determined that after their employment ended, many former workers still had access to the systems, tools, and solutions that they used at their former job, including old email accounts (35%), work-related materials on a personal statement (35%), social media (31%), software accounts (31%) or shared files or documents (31%). Many also retained access to things like accounts with a third-party system (29%), another employee’s account (27%), a backend system (25%), and the company’s financial information (14%).

Source: ID Agent