Web security company, ImmuniWeb says there are now over 21 million (21,040,296) stolen user credentials belonging to Fortune 500 companies available on the Dark Web – over 16 million (16,055,871) of which were compromised during the last 12 months.

The kicker? A massive 95 percent of the credentials contained unencrypted, or already bruteforced and cracked by the attackers, plaintext passwords, the company says.

(Over half of the broader publicly accessible data is “outdated or fake, or just comes from historical breaches in a false pretense to be newly compromised records” it notes however, although this may prove little solace to security teams at such companies).

Switzerland-based ImmuniWeb crawling across various web forums, Pastebin, IRC channels, social networks, messenger chats etc. within the TOR network, to reveal details about the burgeoning credentials market. (Stolen credentials can be used to attack networks, with initial access then being used to escalate privileges).

Tech, Energy, Financial Services Most Exposed

Among the revelations in the report today: the (widely regarded as exceptionally robust) password “password” remains hugely popular among users, along with cunning and unguessable twists like “passw0rd” and “password1”.

The technology, financial services and energy sectors are the top three industries with the largest volume of credentials exposed, with 42 percent of the stolen passwords “somehow related either to the victim’s company name or to the breached resource in question, making password bruteforcing attacks highly efficient.”

Read this: What Happens When a Security Company Decides to Hack Itself?

Password bruteforcing tools are widely available online, where they are used by both penetration testers and black hats.

They include Cain and Abel, Hashcat, John the Ripper, THC Hydra and Ophcrack, among many others.

(As computer power available to users grows, the speed at which even well encrypted passwords can be cracked is rapidly increasing, as a February Hashcat landmark revealed).

(Hackers never trigger a lockout, as they are not typically running attempts to guess a password on the live account login page. Rather, they have usually bought a file of user IDs and password hashes: a bruteforcing attempt in this scenario involves using such tools to find the equivalent numerical representation of that hash to reveal the password. This does not take place on the target’s portal/machine).

Stolen User Credentials: The Most Popular Passwords

Ilia Kolochenko, CEO and Founder of ImmuniWeb, said: “These numbers are both frustrating and alarming. Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels.

“The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive 0day or time-consuming APTs. With some persistence, they easily break-in being unnoticed by security systems and grab what they want.

He added: “Worse, many such intrusions are technically uninvestigable due to lack of logs or control over the breached [third-party] systems.”

There were only 4.9 million (4,957,093) fully unique passwords amid the 21 million records the company identified, suggesting that many users are using identical or similar passwords. It recommends using an Attack Surface Management (ASM) solution to map the risk, implementing an organization-wide password policy enforceable on the integrity of in-house and third-party systems, and always using two-factor authentication (2FA) on business-critical systems.

Read this: Aussie Security Firm Brute-Forces Kaspersky’s Encryption to Reveal ASUS Hack Targets