Stolen credentials on the Dark Web

October 2019 Cyber Security, Security Services & Risk Management

Web security company, ImmuniWeb, has conducted research into the state of stolen credentials available on the Dark Web, which are being exploited by cybercriminals for spear-phishing and password re-use attacks against the highest-grossing global public and private companies - the Fortune 500.

ImmuniWeb used its all-in-one ImmuniWeb Discovery application discovery and inventory service solution to crawl generally accessible places and resources within the TOR network, across various Web forums, Pastebin, IRC channels, social networks, messenger chats and many other locations notorious for offering, selling or distributing stolen or leaked data.

Key findings: passwords

Over 21 million (21 040 296) credentials belonging to Fortune 500 companies, among which over 16 million (16 055 871) were compromised during the last 12 months.

As many as 95% of the credentials contained unencrypted, or brute-forced and cracked by the attackers, plaintext passwords.

Perhaps unsurprisingly, technology was the industry with the largest volume of credentials exposed in breaches of adult-oriented websites and resources, followed by financials and energy.

There were only 4,9 million (4 957 093) fully unique passwords amid the 21 million records, suggesting that many users are using identical or similar passwords.

One of the most common passwords in most of the industries researched was password.

Retail was the industry with the highest number of weak or default passwords.

Approximately 42% of the stolen passwords are somehow related either to the victim’s company name or to the breached resource in question, making password brute-forcing attacks highly efficient.

On average, 11% of the stolen passwords from one breach are identical - pointing to usage of default passwords, proliferation of spam and data scraping bots creating accounts, or a previous password reset setting an identical password to a large set of accounts.

Key findings: domains

The number of squatted domains and phishing websites per organisation is proportional to the total number of exposed credentials. The more illegitimate resources exist, the more credentials can be found for the organisation’s personnel.

The number of subdomains with failing Web security grade (C or F) is proportional to the number of exposed credentials. The more poorly secured a website is, the more credentials can be found for the organisation’s personnel.

Key findings: data

Over half of publicly accessible data is outdated or fake, or just comes from historical breaches in a false pretence to be newly compromised records.

The most popular sources of the exposed breaches were:

1.Third parties (e.g. websites or other resources of unrelated organisations).

2.Trusted third parties (e.g. websites or other resources of partners, suppliers or vendors).

3.The companies themselves (e.g. their own websites or other in-house resources).

Ilia Kolochenko, CEO and founder of ImmuniWeb, commented: “These numbers are both frustrating and alarming. Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive zero-day or time-consuming APTs (the Klondike Gold Rush was a migration by an estimated 100 000 prospectors to the Klondike region of the Yukon, in north-western Canada, between 1896 and 1899). With some persistence, they easily break in, being unnoticed by security systems and grab what they want. Worse, many such intrusions can technically not be investigated due to lack of logs or control over the breached [third-party] systems.

In the era of cloud, containers and continuous outsourcing of critical business processes, most organisations have lost visibility and thus control over their digital assets and data. You cannot protect what you don’t see, likewise you cannot safeguard the data if you don’t know where it’s being stored and who can access it. Third-party risks immensely exacerbate the situation by adding even more perilous unknowns into the game.

A well-thought, coherent and holistic cybersecurity and risk management programme should encompass not just your organisation but third parties in a continuous and data-driven manner.

Full research and infographics at:

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Pwn2Own hacking contest to include industrial control systems
October 2019 , Cyber Security
As IT and OT converge under Industry 4.0 and digital transformation initiatives, security gaps are emerging in a range of popular industrial control systems.

Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

The importance of XDR for cyber protection
October 2019 , Cyber Security, Products
35% of South African organisations are expecting an imminent cyberattack and a further 31% are bracing for it to happen within a year, according to local research conducted by Trend Micro.

Enterprise security must change
October 2019 , Cyber Security, Security Services & Risk Management
The recent wave of cyberattacks against local banks has highlighted the importance of protecting data against malicious users.

Kaspersky uncovers zero-day in Chrome
October 2019, Kaspersky , News, Cyber Security
Kaspersky’s automated technologies have detected a new exploited vulnerability in the Google Chrome web browser.

Body-worn cameras transforming security
October 2019 , CCTV, Surveillance & Remote Monitoring, Security Services & Risk Management
Police Service Northern Ireland now has over 7 000 officers using 2 500 cameras covering approximately 173 000 incidents each year.

Protecting your customers’ data
October 2019 , Training & Education, Security Services & Risk Management
Simon Murrell, head of development and executive director at BrandQuantum says companies need to protect their customers from identity theft and data breaches.

Cybersecurity for video surveillance systems
September 2019, Mobotix , Cyber Security, CCTV, Surveillance & Remote Monitoring
Video surveillance systems are increasingly accessible over any IP network, which has led to the rise of potential cyberattack.

African trust centre launches cyber division
November 2019 , Cyber Security
Advancing cybersecurity to more stringent heights, LAWtrust has launched a new division focusing on cybersecurity services to complement its identity, encryption and digital signature offerings.

What are the cybersecurity issues in video surveillance?
November 2019, Axis Communications SA , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Cyber Security
he importance of the data captured by surveillance cameras – and what can be done with it – has led to a new breed of cybercriminals, looking for insights to steal and sell.