Digital Shadows has found that, for the largest 1,000 organizations in the world, there are more than 5 million leaked credentials.
That’s a median average of 706 credentials per organization.
“For companies that were the victims of breaches, there are clear reputational, brand and financial implications,” the company said, in a blog. “So what about the indirect impact of the breaches? Organizations with employees who have reused corporate emails and passwords can also be at risk. These organizations suffer from the collateral damage of the initial breaches.”
Compromised credentials hold significant value for cybercriminals. The information can be used for botnet spam lists, extortion attempts (as was the case with Ashley Madison), spear-phishing, and account takeover.
The breaches impacting the global 1,000 companies the most were heists at LinkedIn and Adobe—both services that employees can be expected to sign up to with their work accounts. However, there were also fewer expected sources. The high level of corporate credentials in the 360 million stolen from MySpace, for example, should cause organizations to pause for thought. Worse still, gaming sites and dating sites also affected organizations. For Ashley Madison alone, which exposed 37 million cheating spouses, there were more than 200,000 leaked credentials from the top 1,000 global companies of the Forbes Global 2000.
The personal details of 5,550,485 people (email and password combinations) were detected across all companies—nearly 300,000 of these are a result from corporate email and passwords combinations being stolen from dating websites Ashley Madison, Adult Friend Finder and Mate1.
The report also found that the UK is one of the most affected regions in the world—with an average of 9,000 average leaked credentials per company. This is more than the average number of breached credentials found for companies in either North America or the rest of Europe.
The report also pointed out that password resets aren’t a panacea: “But organizations can just reset their passwords, right? It’s not quite that simple, unfortunately. Password resets can cause a lot of friction for organizations and so it’s necessary to first ascertain whether the breach information is unique, or is simply re-posted, old information.”
Whilst many claimed breaches are often simply copies and reposts of previously leaked databases this number is lower than expected—only around 10% of claimed breached credentials are duplicates.
Photo © Asif Islam/Shutterstock.com