Threat Spotlight: Leaked Credentials and Geography

A navy background with the white text "Leaked Credentials & Geography"

Executive Summary

Leaked credentials are the cause of many cyberattacks, and the number of them on the dark web continues to grow rapidly: there are over 10 billion unique username password combinations once duplicates and combo lists have been removed. 

Flare has been monitoring and archiving the dark web for over 5 years, which has enabled us to observe interesting trends over time. We analyzed how geography and language play roles in what countries threat actors target.

Read the full report on leaked credentials, Clear Insights from a Deep Analysis of Dark Web Leaked Credentials  to learn more. 


  • Across almost all industries, the ratio of leaked credentials per employee decreased as the size of the organization increased. We believe this was likely due to improvements in security maturity for larger organizations and increasing separation of roles and responsibilities as organization size increased, resulting in fewer unique logins.
  • However, the ratio of leaked credentials by employee per country didn’t seem to correspond with security maturity. We expected that countries with lower levels of security maturity would experience higher ratios of leaked credentials, but this was not the result.
  • When excluding outliers, the United States and Nordic countries ranked in the top 5 for leaked credentials per employee, while countries that spend far less on cybersecurity both nominally and as a percentage of GDP came in much lower.

The Details

One of our most interesting findings was that the ratio of leaked credentials per employee did not necessarily correspond with security maturity for countries. However, by-industry and by-organization size comparisons did correspond with security maturity. We originally expected countries with lower levels of security maturity to experience higher ratios of leaked credentials. 

We analyzed the average ratio of leaked credentials per employee and included the top 28 countries in the table. This is represented in the world map. The United States and Nordic countries ranked in the top 5 for leaked credentials per employee (excluding outliers like Mexico), while countries that spend far less on cybersecurity both nominally and as a percentage of GDP came in lower. 

The reason for the exceptionally high percentage of leaked credentials occurring in countries that often use English for business purposes is that those companies have relatively high levels of GDP per capita and numerous multinational companies (which we will discuss more in the next section). The U.S., Norway, Sweden, and the U.K. are home to several multinational conglomerates worth hundreds of billions of dollars. 

The U.S. ranked first in the percentage of employees with leaked credentials on the dark web. This did not surprise us, as American organizations are often targeted because of state sponsored motives and financial reasons. 

Generally, larger and more established organizations are considered valuable enough by threat actors to put in effort to try to break into. 

Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

English and Leaked Credentials

We mentioned in the last section that the high percentage of leaked credentials may be linked to the country’s English usage for business purposes.

Our theory is that threat actors target English speaking countries and those that use English as a common business language. On the dark web, English is one of the most popular languages spoken (along with Russian), and is by far the most commonly studied language in the world. Threat actors who understand English can launch attacks against organizations in predominantly English speaking countries.

In addition, there’s a larger “target market” for threat actors to sell credentials to in English, compared to a set of credentials for a platform in a less spoken language. For lesser spoken languages, there are also fewer threat actors who could use this language efficiently.

Curious about our Methodology? This is What We Did:

Flare took a random sample between 100 and 200 companies for each sector and divided them by size into medium-sized organizations (500-1,000 employees), large organizations (1,000-5,000 employees), and enterprise organizations (5,000+ employees). We then searched across dark web marketplaces, illicit Telegram channels, and clear web sites to identify unique credentials for sale. We excluded collections (amalgamations of multiple credentials leaks) and combo lists (high-quality lists of individuals with multiple credential leaks) to ensure that we were counting unique instances and not identifying duplicates. 

We then analyzed the data based on company size and industry as mentioned based on 3 primary criteria. We included the following industries: Energy, Manufacturing, Software, Retail, Finance, Food & Beverage, Healthcare, and Labs & Pharmaceuticals. We excluded the Education sector due to the prevalence of students using emails ending in their organization’s domain. 

The Ratio of Leaked Credentials Per Employee: This metric was determined by comparing the exact number of employees at a company to the number of users with identifiable leaked credentials for sale. For example if Acme inc has 10,000 employees, and we found 500 unique instances of credentials leaks with [email protected] that ratio would be described as .05 or 5%.

How Flare Can Help

Monitoring for credential leaks, and proactively identifying potential data exposure can be simple with Flare. Flare enables you to automatically scan the clear and dark web for your organization’s leaked data, whether it be technical data, source code, leaked credentials, or secrets on public github repos. This approach enables you to proactively identify sensitive data leaks and prevent data breaches before malicious actors utilize them.

Flare allows you and your security team to: 

  • Get ahead of reacting to attempted network intrusions before they happen by rapidly detecting stolen credentials and infected devices for sale 
  • Cut incident response time by up to 95% and monitor around 10 billion leaked credentials
  • Understand your organization’s external data exposure (digital footprint) with proactive recommendations to improve your security posture based on real world, contextualized data

Want to see how Flare can monitor leaks for your organization? Request a demo for more information.

Share This Article

Related Content