View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 30, 2019updated 31 Oct 2019 9:29am

16 Million Fortune 500 Passwords Added to Dark Web in 12 Months

"password", "passw0rd" and "password1" remain popular choices...

By CBR Staff Writer

Web security company, ImmuniWeb says there are now over 21 million (21,040,296) stolen user credentials belonging to Fortune 500 companies available on the Dark Web – over 16 million (16,055,871) of which were compromised during the last 12 months.

The kicker? A massive 95 percent of the credentials contained unencrypted, or already bruteforced and cracked by the attackers, plaintext passwords, the company says.

(Over half of the broader publicly accessible data is “outdated or fake, or just comes from historical breaches in a false pretense to be newly compromised records” it notes however, although this may prove little solace to security teams at such companies).

Switzerland-based ImmuniWeb crawling across various web forums, Pastebin, IRC channels, social networks, messenger chats etc. within the TOR network, to reveal details about the burgeoning credentials market. (Stolen credentials can be used to attack networks, with initial access then being used to escalate privileges).

Tech, Energy, Financial Services Most Exposed

Among the revelations in the report today: the (widely regarded as exceptionally robust) password “password” remains hugely popular among users, along with cunning and unguessable twists like “passw0rd” and “password1”.

The technology, financial services and energy sectors are the top three industries with the largest volume of credentials exposed, with 42 percent of the stolen passwords “somehow related either to the victim’s company name or to the breached resource in question, making password bruteforcing attacks highly efficient.”

Read this: What Happens When a Security Company Decides to Hack Itself?

Password bruteforcing tools are widely available online, where they are used by both penetration testers and black hats.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

They include Cain and Abel, Hashcat, John the Ripper, THC Hydra and Ophcrack, among many others.

(As computer power available to users grows, the speed at which even well encrypted passwords can be cracked is rapidly increasing, as a February Hashcat landmark revealed).

(Hackers never trigger a lockout, as they are not typically running attempts to guess a password on the live account login page. Rather, they have usually bought a file of user IDs and password hashes: a bruteforcing attempt in this scenario involves using such tools to find the equivalent numerical representation of that hash to reveal the password. This does not take place on the target’s portal/machine).

Stolen User Credentials: The Most Popular Passwords

Ilia Kolochenko, CEO and Founder of ImmuniWeb, said: “These numbers are both frustrating and alarming. Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels.

“The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive 0day or time-consuming APTs. With some persistence, they easily break-in being unnoticed by security systems and grab what they want.

He added: “Worse, many such intrusions are technically uninvestigable due to lack of logs or control over the breached [third-party] systems.”

There were only 4.9 million (4,957,093) fully unique passwords amid the 21 million records the company identified, suggesting that many users are using identical or similar passwords. It recommends using an Attack Surface Management (ASM) solution to map the risk, implementing an organization-wide password policy enforceable on the integrity of in-house and third-party systems, and always using two-factor authentication (2FA) on business-critical systems.

Read this: Aussie Security Firm Brute-Forces Kaspersky’s Encryption to Reveal ASUS Hack Targets

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.