Stolen login credentials from Fortune 500 companies have been found in numerous places on the dark web, many of which are available in plaintext form.
In a report, Security researchers from ImmuniWeb identified 21,040,296 credentials belonging to Fortune 500 companies – with 16,055,871 of them being compromised during the last 12 months.
The researchers revealed that nearly 95% of the credentials “contained unencrypted, or bruteforced and cracked by the attackers, plaintext passwords.”
Amid the 21 million records exposed, it is noted that only 4.9 million of them were fully unique passwords, suggesting that many users have identical or similar passwords.
Roughly 42% of the stolen passwords were linked to the victim’s company name or to the breached resource in question – making brute force attacks highly efficient.
According to the report, the Retail industry had the weakest logins, where almost half of the passwords (47.29%) were less than eight characters long, followed by Telecommunications (37.57), Industrial (37.36%) and Transportation (36.19%).
The top three industries with the largest volume of credentials exposed were Technology, Financials and Energy.
Ilia Kolochenko, CEO and Founder of ImmuniWeb, says:
“These numbers are both frustrating and alarming. Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive 0day or time-consuming APTs.
“With some persistence, they easily break-in being unnoticed by security systems and grab what they want. Worse, many such intrusions are technically uninvestigable due to lack of logs or control over the breached [third-party] systems.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/