Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

21 Million Stolen Fortune 500 Credentials For Sale on Dark Web

There have been many studies and investigations into the number of stolen credentials available on the dark web. However, a new report that was just released is a bit different: it focuses on credentials belonging to global Fortune 500 organizations, and used machine learning (ML) techniques to clean and verify the collected data.

There have been many studies and investigations into the number of stolen credentials available on the dark web. However, a new report that was just released is a bit different: it focuses on credentials belonging to global Fortune 500 organizations, and used machine learning (ML) techniques to clean and verify the collected data.

The results are more disturbing than usual because the study focuses on global corporations and the results have been cleaned — but remain shocking. Geneva, Switzerland-based firm ImmuniWeb used the OSINT elements of its Discovery product to crawl the dark places used to correlate and sell stolen credentials, gathering what it could. It then used its own ML models to “find anomalies and spot fake leaks, duplicates or default passwords set automatically – that were excluded from the research data.”

Despite this cleaning, it found more than 21 million different credentials belonging to the Fortune 500 companies; more than 16 million of which were compromised during the last 12 months. It is worth stressing that these all have cleartext passwords that were either stolen in cleartext, or have subsequently been cracked by the hackers.

“These numbers are both frustrating and alarming,” commented Ilia Kolochenko, CEO and founder of ImmuniWeb. “Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive 0day or time-consuming APTs.”

One of the most disturbing aspects of the discoveries is the large number of common and simple passwords. This would not be surprising from small companies with small or even no security teams — but is hard to understand in large corporations with the resources to train their staff and implement password management processes. This is worrying.

The password ‘password’ is among the top five most popular passwords in eight of the ten industry sectors included in the survey. It is not included within the technology sector. Here the most popular password is ‘passw0rd’ — and the fifth most popular is ‘password1’. Out of the 21 million collected credentials, only 4.9 million are genuinely unique passwords, clearly suggesting that even Fortune 500 companies have very weak password policies.

Use of weak passwords (defined by ImmuniWeb as being of 8 characters or less, or found in common dictionaries and therefore easy to brute force) is rampant. From the ten sectors, retail is the worst offender with 47.29% of the passwords being weak. The energy sector is best, but still at 32.56%. While the absolute numbers are shocking, the relative percentages cannot be assumed accurate for the full complement of Fortune 500 passwords. These are cleartext credentials. Strong and complex passwords may not have been cracked so will not appear in the figures, which are necessarily biased towards the weaker ones.

This doesn’t diminish the worrying aspects of the study — like an average of 11% of all passwords from each breach being identical; or 42% of all stolen passwords being somehow related either to the company name or the third-party website service from which they were stolen.

Advertisement. Scroll to continue reading.

Two interesting discoveries in the study are the number of credentials that have been exposed via breaches of adult-oriented websites, and the relationship between phishing websites and the companies breached. 

Technology, financial and energy are the most common sectors with stolen credentials coming via adult websites. Here, the surprise is not the source, but that users have utilized their business rather separate personal accounts to log in. “There is no clear answer to this,” Ilia Kolochenko, CEO and founder of ImmuniWeb told SecurityWeek. But he noted that “with the Ashley Madison and AdultFriendFinder breaches, many .gov and .gov.uk emails figured amid their users.”

The second discovery is a statistical relationship between criminal phishing infrastructures and the stolen credentials. “The number of squatted domains and phishing websites per organization is proportional to the total number of exposed credentials,” says the report. “The more illegitimate resources exist, the more credentials can be found for the organization’s personnel.”

Statistically, this suggests that concerted efforts to phish a company will succeed. “I think there is a traceable nexus between cybersecurity hygiene (e.g. less vulnerable websites, timely removed phishing pages, decent SSL encryption, etc) and the data breaches,” Kolochenko told SecurityWeek. “Careless and negligent companies likely have weaker password policies, no or immature vendor risk management, nascent security awareness among its employees, and so on. All this boosts their chances to get hacked directly or via third parties.”

This report is full of facts and statistics on stolen credentials, but very light on any interpretation of those facts — even the basic implication that Fortune 500 companies have much to learn and do on their password policies. This is by design. “I would not make definitive conclusions based on the data,” Kolochenko told SecurityWeek. “First of all, many data breaches have never been detected and probably never will be; hence any research will miss some data. Moreover, one’s interpretations may consider a wide spectrum of factors but miss an essential one thereby rerouting causation into the wrong direction. Many illuminating assumptions can be made on the data, and we are keen to hear from the industry how they would construe the data.”

Related: Can You Trust Security Vendor Surveys? 

Related: California to Ban Weak Passwords 

Related: Why User Names and Passwords Are Not Enough 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.