There have been many studies and investigations into the number of stolen credentials available on the dark web. However, a new report that was just released is a bit different: it focuses on credentials belonging to global Fortune 500 organizations, and used machine learning (ML) techniques to clean and verify the collected data.
The results are more disturbing than usual because the study focuses on global corporations and the results have been cleaned — but remain shocking. Geneva, Switzerland-based firm ImmuniWeb used the OSINT elements of its Discovery product to crawl the dark places used to correlate and sell stolen credentials, gathering what it could. It then used its own ML models to “find anomalies and spot fake leaks, duplicates or default passwords set automatically – that were excluded from the research data.”
Despite this cleaning, it found more than 21 million different credentials belonging to the Fortune 500 companies; more than 16 million of which were compromised during the last 12 months. It is worth stressing that these all have cleartext passwords that were either stolen in cleartext, or have subsequently been cracked by the hackers.
“These numbers are both frustrating and alarming,” commented Ilia Kolochenko, CEO and founder of ImmuniWeb. “Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive 0day or time-consuming APTs.”
One of the most disturbing aspects of the discoveries is the large number of common and simple passwords. This would not be surprising from small companies with small or even no security teams — but is hard to understand in large corporations with the resources to train their staff and implement password management processes. This is worrying.
The password ‘password’ is among the top five most popular passwords in eight of the ten industry sectors included in the survey. It is not included within the technology sector. Here the most popular password is ‘passw0rd’ — and the fifth most popular is ‘password1’. Out of the 21 million collected credentials, only 4.9 million are genuinely unique passwords, clearly suggesting that even Fortune 500 companies have very weak password policies.
Use of weak passwords (defined by ImmuniWeb as being of 8 characters or less, or found in common dictionaries and therefore easy to brute force) is rampant. From the ten sectors, retail is the worst offender with 47.29% of the passwords being weak. The energy sector is best, but still at 32.56%. While the absolute numbers are shocking, the relative percentages cannot be assumed accurate for the full complement of Fortune 500 passwords. These are cleartext credentials. Strong and complex passwords may not have been cracked so will not appear in the figures, which are necessarily biased towards the weaker ones.
This doesn’t diminish the worrying aspects of the study — like an average of 11% of all passwords from each breach being identical; or 42% of all stolen passwords being somehow related either to the company name or the third-party website service from which they were stolen.
Two interesting discoveries in the study are the number of credentials that have been exposed via breaches of adult-oriented websites, and the relationship between phishing websites and the companies breached.