State of Stolen Credentials in the Dark Web from Fortune 500 Companies
Millions of stolen corporate credentials available in the Dark Web are exploited by cybercriminals for spear-phishing and password re-use attacks against the largest global companies.
Wednesday, October 30, 2019
Data stolen and exposed in the Dark Web makes media headlines in 2019. Both the reported data breaches and the number of records exposed therein spiked by over 50% during the Q1 2019 compared to the previous year, and attained a flabbergasting number of 4,000 breaches, exposing over 4 billion compromised records (source: Risk Based Security). Security expert Troy Hunt’s website has a collection of over 8 billion credentials collected in the Internet.
At ImmuniWeb, we decided to shed some light on the skyrocketing growth of data breaches targeting corporates. For this purpose, we analyzed the quality and quantity of stolen credentials accessible on the Dark Web from Fortune 500 companies from 10 different industries across the globe.
Sources and Methodology
We leveraged our OSINT (Open Source Intelligence) technology built into ImmuniWeb® Discovery to crawl generally accessible places and resources within the TOR network, across various web forums, Pastebin, IRC channels, social networks, messenger chats and many other locations notorious for offering, selling or distributing stolen or leaked data.
We found over 21 million (21,040,296) credentials belonging to Fortune 500 companies, amid which over 16 million (16,055,871) were compromised during the last 12 months. As many as 95% of the credentials contained unencrypted, or bruteforced and cracked by the attackers, plaintext passwords.
The most popular sources of the exposed breaches were:
- Third parties (e.g. websites or other resources of unrelated organizations)
- Trusted third parties (e.g. websites or other resources of partners, suppliers or vendors)
- The companies themselves (e.g. their own websites or in-house other resources)
For obvious ethical and legal reasons, we did not try to login into any of these accounts. We verified accuracy and reliability of data by correlating, cross-checking and juxtaposing the data from different public sources aided with Machine Learning (ML). ImmuniWeb’s ML models were used to find anomalies and spot fake leaks, duplicates or default passwords set automatically - that were excluded from the research data.
Table of Content
2. Most Popular Passwords per Industry
3. Top Industries with Weak or Default Passwords
4. Other Interesting Facts
5. How to Reduce Your Dark Web Exposure
6. Conclusion
This is a full version of the research, we are unable to send any samples of compromised records to anyone for security and privacy reasons.
Stolen Credentials per Industry
Below are the industries with the highest numbers of stolen credentials. Unsurprisingly, the largest and the most targeted industries top the list:
| Industry | Total Exposed Credentials |
|---|---|
| Technology | 5,071,144 |
| Financials | 4,915,553 |
| Health Care | 1,923,340 |
| Industrials | 1,898,434 |
| Energy | 1,745,283 |
| Telecommunications | 1,329,882 |
| Retail | 682,408 |
| Transportation | 602,003 |
| Motor Vehicles & Parts | 575,046 |
| Aerospace & Defense | 549,073 |
Most Popular Passwords per Industry
In total, we found only 4.9 million (4,957,093) fully unique passwords amid the 21 million records suggesting that many users are using identical or similar passwords. Below are the most popular passwords per industry:
| Industry | Top 5 Passwords | ||||
|---|---|---|---|---|---|
| Technology | passw0rd 1qaz2wsx career121 abc123 password1 | ||||
| Financials | 456a33 student old123ma welcome 123456 | ||||
| Health Care | Exigent password pass1 000000 123456 | ||||
| Industrials | 12345678 !qaz1qaz passer comdy password | ||||
| Energy | password 123456 snowman old123ma 789_234 | ||||
| Telecommunications | cheer! welcome password 66936455 password1 | ||||
| Retail | 111111 soccer1 123456789 abc123 password | ||||
| Transportation | pass1 123456789 cheezy aaaaaa 112233 | ||||
| Motor Vehicles & Parts | password 111111 penispenis 123456 3154061 | ||||
| Aerospace & Defense | password1 opensesame carrier password 123456 | ||||
Top Industries with Weak or Default Passwords
Below are the top 10 industries ordered by the highest percent of weak passwords (less than 8 characters, found in common dictionaries or default ones). The volume of weak passwords is astonishing and alarming:
| Industry | Weak Passwords |
|---|---|
| Retail | 47,29% |
| Telecommunications | 37,57% |
| Industrials | 37,36% |
| Transportation | 36,19% |
| Financials | 35,12% |
| Motor Vehicles & Parts | 34,98% |
| Aerospace & Defense | 34,44% |
| Technology | 33,87% |
| Health Care | 33,47% |
| Energy | 32,56% |
Other Interesting Facts
During the research, we also spotted some interesting facts and trends:
- Technology, Financials and Energy are respectively the top 3 industries with the largest volume of credentials exposed in breaches of adult-oriented websites and resources;
- Approximately 42% of the stolen passwords are somehow related either to the victim’s company name or to the breached resource in question, making password bruteforcing attacks highly efficient.
- On average, 11% of the stolen passwords from one breach are identical pointing out to usage of default passwords, proliferation of [spam & data scraping] bots creating accounts, or a previous password reset setting an identical password to a large set of accounts.
- The number of squatted domains and phishing websites per organization is proportional to the total number of exposed credentials. The more illegitimate resources exist, the more credentials can be found for the organization’s personnel.
- The number of subdomains with failing web security grade (C or F) is proportional to the number of exposed credentials. The more poorly secured a website is, the more credentials can be found for the organization’s personnel.
- Over half of publicly accessible data is outdated or fake, or just comes from historical breaches in a false pretense to be newly compromised records.
How to Reduce Your Dark Web Exposure
Credentials and other data stolen both in unreported and high-profile data breaches are incrementally used by cybercriminals in spear-phishing campaigns, social engineering and password re-use attacks. Simple at the first glance, they can be terrifically efficient and effective compared to other, more complicated or expensive cyberattacks. To prevent, or at least to minimize, the impact of such data breaches we suggest the following:
- Conduct a comprehensive discovery and inventory of your digital assets, visualize your external attack surface and risk exposure with an Attack Surface Management (ASM) solution.
- Implement an organization-wide password policy enforceable on the integrity of in-house and third-party systems. Use two-factor authentication (2FA) on business-critical systems.
- Implement a third-party risk management program encompassing continuous monitoring of your vendors and suppliers going beyond a paper-based questionnaire.
- Implement a continuous security monitoring system with anomaly detection to spot intrusions, phishing and password re-use attacks.
- Invest into security awareness of your personnel, explain the risks of using professional emails on third-party resources, gamify anti-phishing training and reward the best learners.
Conclusion
Ilia Kolochenko, CEO and Founder of ImmuniWeb, says: “These numbers are both frustrating and alarming. Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive 0day or time-consuming APTs. With some persistence, they easily break-in being unnoticed by security systems and grab what they want. Worse, many such intrusions are technically uninvestigable due to lack of logs or control over the breached [third-party] systems.
In the era of cloud, containers and continuous outsourcing of critical business processes, most organizations have lost visibility and thus control over their digital assets and data. You cannot protect what you don’t see, likewise you cannot safeguard the data if you don’t know where it’s being stored and who can access it. Third-party risks immensely exacerbate the situation by adding even more perilous unknowns into the game.
A well-thought, coherent and holistic cybersecurity and risk management program should encompass not just your organization but third parties in a continuous and data-driven manner. At ImmuniWeb, we work hard to illuminate external attack surface and Dark Web exposure for our customers, bringing peace of mind and assurance to our clientele and partners.”
You can visualize your external attack surface and Dark Web exposure with ImmuniWeb® Discovery Attack Surface Management (ASM).
Latest news and insights on AI and Machine Learning for application security testing, web, mobile and IoT security vulnerabilities, and application penetration testing. 
