21 Million Stolen Fortune 500 Credentials For Sale on Dark Web

By Kevin Townsend for SecurityWeek
Wednesday, October 30, 2019

• 1.6k
• More

Despite this cleaning, it found more than 21 million different credentials belonging to the Fortune 500 companies; more than 16 million of which were compromised during the last 12 months. It is worth stressing that these all have cleartext passwords that were either stolen in cleartext, or have subsequently been cracked by the hackers.

"These numbers are both frustrating and alarming," commented Ilia Kolochenko, CEO and founder of ImmuniWeb. "Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don't even need to invest in expensive 0day or time-consuming APTs."

One of the most disturbing aspects of the discoveries is the large number of common and simple passwords. This would not be surprising from small companies with small or even no security teams -- but is hard to understand in large corporations with the resources to train their staff and implement password management processes. This is worrying.

Two interesting discoveries in the study are the number of credentials that have been exposed via breaches of adult-oriented websites, and the relationship between phishing websites and the companies breached.

Technology, financial and energy are the most common sectors with stolen credentials coming via adult websites. Here, the surprise is not the source, but that users have utilized their business rather separate personal accounts to log in. "There is no clear answer to this," Ilia Kolochenko, CEO and founder of ImmuniWeb told SecurityWeek. But he noted that "with the Ashley Madison and AdultFriendFinder breaches, many .gov and .gov.uk emails figured amid their users."

The second discovery is a statistical relationship between criminal phishing infrastructures and the stolen credentials. "The number of squatted domains and phishing websites per organization is proportional to the total number of exposed credentials," says the report. "The more illegitimate resources exist, the more credentials can be found for the organization's personnel."

Statistically, this suggests that concerted efforts to phish a company will succeed. "I think there is a traceable nexus between cybersecurity hygiene (e.g. less vulnerable websites, timely removed phishing pages, decent SSL encryption, etc) and the data breaches," Kolochenko told SecurityWeek. "Careless and negligent companies likely have weaker password policies, no or immature vendor risk management, nascent security awareness among its employees, and so on. All this boosts their chances to get hacked directly or via third parties."

This report is full of facts and statistics on stolen credentials, but very light on any interpretation of those facts -- even the basic implication that Fortune 500 companies have much to learn and do on their password policies. This is by design. "I would not make definitive conclusions based on the data," Kolochenko told SecurityWeek. "First of all, many data breaches have never been detected and probably never will be; hence any research will miss some data. Moreover, one's interpretations may consider a wide spectrum of factors but miss an essential one thereby rerouting causation into the wrong direction. Many illuminating assumptions can be made on the data, and we are keen to hear from the industry how they would construe the data." Read Full Article