Many studies and investigations have been conducted into the number of stolen credentials on the dark web. Nonetheless, a new report recently issued is a little different: it relies on credentials from international Fortune 500 companies and uses machine learning (ML) approaches to clean and validate the information gathered.
The findings are more alarming than normal because the report focuses on global companies and because the results have been smoothed out – but are surprising. Geneva, Swiss-based ImmuniWeb uses its Discovery product’s OSINT elements to crawl the dark areas used to connect and sell stolen credentials and gather all that they could. It then used its own ML models to “track automatically set anomalies and spot fake leaks, duplicates or default passwords-they were removed from the research data.” It found over 21 million unique credentials for Fortune 500 companies following the cleanup, with more than 16 million being impacted over the past 12 months. It should be stressed that all of these have clear passwords that were either stolen in a clear text or eventually broken by hackers.
“These figures are both frustrating and alarming,” commented ImmuniWeb’s CEO, Ilia Kolochenko. “Cyber criminals are clever, practical and concentrate on the fastest, quickest and easiest way to get crown jewels. A new cloning for mushrooming threatened players who do not even need to invest in costly 0-day or time-consuming APTs is a huge wealth of theft available on the Dark Web.” It is not surprising that small companies with limited or even no security teams have the ability to train their employees and to introduce password management systems in larger companies. That’s worrying.
The username is one of the top five passwords in eight of the ten industries included in the study. It is not part of the technology sector. The most popular password here is’ passw0rd’-and’ password1′ is the third most popular. Of the 21 million credentials obtained, only 4.9 million genuinely unique passwords suggest that even Fortune 500 corporations have very poor policies on passwords.
The use of weak passwords (defined as 8 characters or less by ImmuniWeb or found in popular dictionaries and thus simple to gross force) is rife. Out of the 10 sectors, retail is the worst offender with 47.29% of passwords soft. The energy industry is best, but still 32.56%. While the absolute numbers are surprising, the relative percentages of Fortune 500 passwords are not reliable. These are credentials for plain text. Secure and complex passwords may not have been cracked so they are not automatically skewed towards the weaker figures.
The worrying aspects of the report–like an average of 11% of all passwords from each breach are identical; or 42% of all stolen passwords are linked either to the company name and to the third-party website provider from which you stolen them.
Two interesting findings in the study are the number of credentials exposed by violations of adult-oriented websites and the connection between phishing websites and companies violated.
The most common sectors are technology, finance and energy with stolen credentials available through adult web sites. The surprise here is not the source, but users have used very separate personal accounts to sign in. Ilia Kolochenko, CEO and founder of ImmuniWeb told SecurityWeek,
“There are no clear answers to this. However, he pointed out that “with the violations of Ashley Madison and AdultFriendFinder many.gov and gov.uk emails were contained among their users.” The second finding was the statistical relation between criminal phishing infrastructures and the stolen credentials. “The amount of squatted domains and phishing websites per client is commensurate with the total number of exposed credentials,” the report says. “The more illegal resources are available, the more credentials can be identified for the employees of the organization.”
This statistically demonstrates that coordinated efforts are successful for phishing a corporation. “I believe there is a traceable link between cybersecurity hygiene (for example less vulnerable websites, phishing pages removed on time, decent SSL encryption, etc.) and the data violations,” Kolochenko told SecurityWeek. Reckless or reckless companies likely have poor security procedures, no or inadequate supplier risk management, a nascent concern of safety of their workers, and so on. This all increases their chances of being compromised directly or via third parties.’
This document is full of facts and figures on robbed credentials but it makes it clear what they are interpreting— even the basic assumption that these facts are. That’s through architecture. “I wouldn’t draw any final conclusions on the basis of the information,” Kolochenko said to SecurityWeek. “First of all, many infringements have never been detected and probably will never be; hence, some data will be missed from research. Furthermore, one’s interpretations may take into account a wide range of factors but are missing an indispensable cause that reverses them in the wrong direction.