Threat Spotlight: Leaked Credentials

Executive Overview

Stolen credentials continue to represent the primary means of compromise for the majority of data breaches and cyberattacks. The number of leaked credentials on the dark web has also expanded considerably, approaching over 10 billion unique username password combinations once duplicates and combo lists have been removed. 

We looked into stolen credentials for sale on the dark web across eight industries ranging from organizations we have defined as mid-sized (500-1,000 Employees), large (1,000-5,000 employees), and enterprise (>5,000 employees). Read our full report: Clear Insights from a Deep Analysis of Dark Web Leaked Credentials.

The Details

Across almost all industries, the ratio of leaked credentials per employee decreased as the size of the organization increased. We believe this was likely due to improvements in security maturity for larger organizations. To be more specific, on average, 43% of employees working at mid-sized companies had leaked credentials on the dark web, 19% of employees at large companies, and only 4% of employees at enterprise companies. Across all industries and organization sizes, there was an average of 22% of employees that had leaked credentials on the dark web.

There are three main reasons why smaller organizations tend to have a greater ratio of leaked credentials:

  1. Individuals at smaller organizations likely have to “wear more hats” and perform a larger variety of work, leading to increased usage of SaaS applications and logins across more websites.
  2. Smaller organizations generally have lower security maturity than larger organizations and also lack third-party risk management programs. This could result in more vendors with less rigorous security programs.
  3. Enterprise organizations often have lists of approved vendors and applications that employees can use, severely limiting the number of unique log-ins that an average enterprise user will have compared to a user in a smaller organization. 

The industry with the highest ratio of stolen credentials for sale on the dark web was Manufacturing, the lowest was Labs and Pharmaceuticals. 

What didn’t surprise us: Energy, Retail, and Manufacturing were in the top four for highest proportion of leaked credentials per employee. According to Gartner, those industries have a lower ratio of security spend when compared to industries such as Healthcare and Financial Services. 

What surprised us: Software companies came in second for the average ratio of leaks per employee. Generally, we found that the higher level of security maturity an organization had (measured by number of employees and industry security expenditure), the less credentials we would find for sale or leaked.

According to a 2020 report by Gartner, the category of “Software Publishing and Internet Services” had the highest security spend expressed as a percentage of total information technology budget. Despite this large investment into cybersecurity, it’s possible that the employees at Software/IT organizations access more software than in other industries. If an employee uses their same credentials for dozens, or even hundreds of logins across third-party platforms, the volume of reused logins can outweigh the increased level of security maturity and spending. 

We found there are about nine employees on average in Software organizations that had identical passwords that were found in three separate breaches!

Curious about our Methodology? This is What We Did:

Flare took a random sample between 100 and 200 companies for each sector and divided them by size into medium-sized organizations (500-1,000 employees), large organizations (1,000-5,000 employees), and enterprise organizations (5,000+ employees). We then searched across dark web marketplaces, illicit Telegram channels, and clear web sites to identify unique credentials for sale. We excluded collections (amalgamations of multiple credentials leaks) and combo lists (high-quality lists of individuals with multiple credential leaks) to ensure that we were counting unique instances and not identifying duplicates. 

We then analyzed the data based on company size and industry as mentioned based on three primary criteria. We included the following industries: Energy, Manufacturing, Software, Retail, Finance, Food and Beverage, Healthcare, Telecommunications, and Healthcare (Labs and Pharma). We refer to Healthcare (Labs and Pharma) as Labs and Pharmaceuticals in the report. We excluded the Education sector due to the prevalence of students using emails ending in their organization’s domain. 

The Ratio of Leaked Credentials Per Employee: This metric was determined by comparing the exact number of employees at a company to the number of users with identifiable leaked credentials for sale. For example if Acme inc has 10,000 employees, and we found 500 unique instances of credentials leaks with [email protected] that ratio would be described as .05 or 5%. 

How Flare Can Help

Monitoring for credential leaks, and proactively identifying potential data exposure can be simple with Flare. Flare enables you to automatically scan the clear and dark web for your organization’s leaked data, whether it be technical data, source code, leaked credentials, or secrets on public github repos. This approach enables you to proactively identify sensitive data leaks and prevent data breaches before malicious actors utilize them.

Flare allows you and your security team to: 

  • Get ahead of reacting to attempted network intrusions before they happen by rapidly detecting stolen credentials and infected devices for sale 
  • Cut incident response time by up to 95% and monitor around 10 billion leaked credentials
  • Understand your organization’s external data exposure (digital footprint) with proactive recommendations to improve your security posture based on real world, contextualized data

Want to see how Flare can monitor leaks for your organization? Request a demo for more information.

Share This Article

Related Content