Researchers have discovered a massive 2.7 million stolen online account log-ins from Fortune 500 employees on the dark web, representing a major security risk to the companies involved, according to VeriClouds.
The credential monitoring firm analyzed a database of eight billion stolen online account credentials it has been collecting over the past three years, claiming it to be the largest commercially available database of its kind.
Over 2.7 million belonged to Fortune 500 employees, with username and password exposed. VeriClouds claimed it found around 10% of their employee emails used to set up these accounts.
That’s a security risk because it means hackers could use the same credentials to infiltrate the corporate network, either via brute forcing the password or potentially by using the same email and password combination, if the user has shared them across their online and corporate accounts.
The highest number of leaked credentials was in the financial sector, where VeriClouds found 555,000 email credentials — over 20% of the total Fortune 500 trove.
The firm added:
“Those numbers are disconcerting, since the higher the number of leaked credentials at a company, the higher the risk of data breach. We see that on average each leaked email account is part of 2.3 leaked data sources. This fact contributes to the increased credential availability to bad actors. Furthermore, the availability of credentials data is increased as many bad actors are repackaging or combing older breach data and offering it to other bad actors who have not been able to obtain it in the past.”
Interestingly, the vendor claimed that only 10% of the credentials leaked to the dark web came as a result of first- or third-party breaches.
ESET security specialist, Mark James, argued that using complex, unique passwords or multi-factor authentication could help to mitigate the risks highlighted in the report.
“When all these small amounts of seemingly insignificant data gets accumulated and collated to form a footprint of your digital world, this of course could be used for further data or identity theft, targeted phishing attacks or indeed CEO fraud with a much higher than normal chance of success, due to the trust relationship established through legit proven data,” he warned.
The cybercrime underground is fast becoming saturated with such credentials.
Researchers found a trove of 1.4 billion breached credentials on the dark web back in December whilst last month 1.2 million breached corporate email addresses belonging to some of the UK’s top legal firms were found on the dark web, 80% of which had an associated password.