by Amelia Paro

Booming Dark Web Markets Are Well Stocked with Passwords for Sale

The perennial problem of password reuse risk is becoming more dangerous and the trail of that increased threat can be traced right back to the dark web. While the world economy may still be experiencing challenges, the dark web economy is running on all cylinders and the data markets are full of eager buyers. About 60% of the data that was already on the dark web at the start of 2020 could harm businesses. Then that generous pool of passwords for sale in dark web markets was augmented by an estimated 22 billion new records that landed in dark web data markets and dumps in 2020. This influx of data gave cybercriminals plenty of new fuel to use in password-based cyberattacks – and they didn’t waste any time making the most of those new resources in 2021. 

It’s Not Just Employee Passwords for Sale in Dark Web Markets

In a recent survey of Fortune 1000 companies, researchers discovered a hefty chunk of exposed data including passwords for 25.9 million Fortune 1000 business accounts. Taking a deeper look, investigators also found an estimated 543 million employee credentials for Fortune 1000 companies circulating on commonly used underground hacking forums, a 29% increase from 2020. An astonishing 25,927,476 passwords that belong to employees at Fortune 1000 companies were available readily in dark web markets and data dumps. That translates into an estimated 25,927 exposed passwords per company, marking a 12% increase from 2020 and indicating an elevated risk for cyberattacks and hacking for those companies.  

Even more worrisome is that credentials for about 133,927 C-level Fortune 1000 executives were also available in the markets. These accounts are especially prized for their elevated user privileges in company systems as well as their credibility when conducting business email compromise schemes. Unless the affected companies are using secure identity and access management tools, just one privileged password in the hands of cybercriminals can open a business up for a cascade of expensive, damaging security nightmares.  Altogether, researchers estimate that a total of 76% of employees and executives at the world’s largest companies are still reusing passwords across personal and professional accounts.  

Over 281 million records of personally identifiable information (PII) for employees of Fortune 1000 companies were available, making it easy for bad actors to conduct impersonation and fraud operations as well as answer the “secret questions” that are so popular in many applications. researchers also noted a pattern — a 60% password reuse rate among email addresses in surveyed databases exposed in more than one breach in 2020.  

Low Standards and Lax Policies Create Danger

No industry is immune to the powerful lure of password recycling and iteration, especially in the era of remote and hybrid work making passwords more insecure than ever. Even though the danger is well-known to IT professionals, about 60% of respondents in a recent IT professional survey indicated their organization had experienced a password recycling/reuse/iteration-related security breach in the past year alone. The telecommunications sector had the highest average number of leaked employee credentials at 552,601 per company. The media industry had the highest password reuse rates at 85%, followed by household products (82%), hotels, restaurants & leisure (80%), and healthcare (79%). Media professionals also frequently used explicit phrases as passwords.

Many companies aren’t even bothering to enforce any standards at all. Researchers also found rampant password iteration like “password” becoming “password1” or “passw0rd.” Commonly used passwords appeared thousands of times in dark web datasets: “123456” appeared 75,287 times, while “password” and “aaron431” showed up 61,762 and 36,775 times, respectively. The use of weak passwords, such as “123456” and “password” was rampant among top Fortune 1000 companies. Media professionals also frequently used explicit phrases as passwords.

Mitigate This Risk Quickly and Cheaply

Although password reuse and recycling is a common foe for cybersecurity teams, mitigating that risk is both simple and affordable with two smart solutions that maximize security and minimize cost. 

Immediately adopt multifactor authentication (MFA) to stop password reuse and recycling from having the power to cause a devastating cyberattack — MFA alone stops 99% of password-based cybercrime in its tracks. 

Get your defenses ready for a new onslaught of password-related cybercrime risk. Contact us today for a free quote.

Comments are closed.