Application security, Malware, Phishing

Millions of Fortune 500 email credentials found on the dark web

About 10 percent of the email credentials of all those employed at Fortune 500 companies have been leaked on the dark web, according to a new study.

The VeriClouds report, which included data from a three-year period, that looked at 27 million Fortune 500 staffers and found about 2.7 million credentials among the eight billion stolen credentials found on the dark web. If that is not bad enough VeriClouds found that the stolen data was found in multiple locations thus increasing the possibility it is bought and used by malicious actors. The good news is the number represents a 7.5 percent decline from 2016.

“We see that on average each leaked Fortune 500 email address, associated with an online account, is found at 2.3 leaked data sources. Furthermore, the availability of credentials data increases when many bad actors repackage or combine older breach data and resell it,” the report stated.

The availability of these passwords opens a corporation up to any number of potential cyberattacks, including spearphishing, credential stuffing and account takeover attacks, which can lead to bad guys having direct access to personnel or corporate networks.

Workers in the telecom, industrial and energy sectors saw the highest percentage of stolen credentials with 23 percent, 18 percent and 17 percent, respectively, leaked. The financial, technology and healthcare fields had more records on the Dark Web, but this is primarily due to the fact that those industries have more employees overall.

In many cases the Fortune 500 firm is not directly to blame for the data loss because their employees used their corporate email address, and possibly the same sign-on credentials, to create an account at a third-party website. If this entity suffers were to suffer a breach and the person has used the same login then the Fortune 500 company could be vulnerable.

Compounding the problem is the large number of weak passwords associated with their accounts.

“Computers, Office Equipment industry has the largest percentage of weak, compromised passwords with 25 percent, followed by Transportation Equipment and Telecommunications industries with 17.6 percent and 12.9 percent, respectively,” the report said.

When it comes to shear volume commercial banks have the highest number of weak or compromised passwords with 109,000; telecom is next with just over 100,000; and the computer, office equipment  sector is third with 73,000.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.