Security experts have warned the UK’s largest companies that they’re at risk of being breached, after finding hundreds of thousands of corporate credentials on cybercrime sites.
Socura teamed up with Flare to monitor “cybercrime communities” across the clear and dark web for FTSE 100 company domains. Its resulting report, FTSE 100 for Sale, revealed 460,000 compromised credentials belonging to employees at these firms.
Some firms had as many as 45,000 leaked credentials, while 15 companies had more than 10,000 each. Although this is a problem across multiple sectors, financial services (70,000+) was particularly affected.
Much of the problem stems from the proliferation of infostealer malware. Socura and Flare found 28,000 corporate credentials in stealer logs – which on average equates to 280 per FTSE 100 company.
“However, this number may be just the tip of the iceberg, as these are only the credentials that we are aware of from public leaks, areas of the dark web, and criminal channels,” the report cautioned.
“A company could have many more stolen credentials that are yet to be sold, are in active use, or have been distributed through channels unknown to us.”
Read more on stolen credentials: Major Cybersecurity Vendors’ Credentials Found on Dark Web
The study also revealed that poor password hygiene is still a major security challenge for even the country’s biggest and best-resourced organizations.
Over half (59%) of FTSE 100 companies have at least one employee using “password” as a password, it found. Password reuse was also commonplace. One employee had three variations of the same password (the TV actor “Ross Kemp”) in six known leaks.
The report’s authors also found CXO email addresses and passwords shared on dark web sites like Doxbin.
Best Practice Credential Security
Socura threat intelligence lead, Anne Heim, explained that cybercriminals are fundamentally opportunists.
“Most won’t waste precious time hacking for credentials when they can easily find or buy them online,” she added.
“Implementing multi-factor authentication (MFA) using passkeys, monitoring threat exposure for new data leaks, and swiftly detecting and responding to malware and suspicious logins need to be considered part of the baseline all businesses need to achieve to minimize risks.”
The report authors recommended organizations to:
- Enforce strong password policies as per NCSC advice, as well as the use of password managers, and educate employees accordingly
- Implement phishing-resistant MFA and passkeys across all devices and services
- Use conditional access policies to grant access based on authentication strength, device compliance status, user risk level and other factors
- Proactively monitor the corporate attack surface by regularly checking for leaked credentials and resetting passwords for compromised accounts
- Implement a clear Bring Your Own Device (BYOD) policy that requires MFA for accessing any corporate services
- Implement robust detection controls to spot and flag suspicious behavior, like unusual logins and infostealer malware
Image credit: Immersion Imagery / Shutterstock.com
