Security experts found that a trove of over millions email credentials, which belongs to employees of Fortune 500 companies, has been leaked to the dark web. Experts analysed data from over a three-year period, which represented the largest ever trove of stolen credentials – amounting to 8 billion. It was found that over 2.7 million of these 8 billion stolen credentials have found their way into the dark web.
Experts found that account credentials of every 1 in 10 Fortune 500 staffer has been leaked to the dark web, according to a new report by credential verification service VeriClouds. Experts found that the highest number of leaked credentials, 555,000 credentials, which amounts to 20% of all leaked data, came from the financial sector. IT security experts commented below.
Mark James, Security Specialist at ESET:
“We hear so much about data breaches and how this or that data has leaked to the web, and could be forgiven for allowing it to slip to the back of the mind as “just another data breach”; the trouble is of course that when all these small amounts of seemingly insignificant data gets accumulated and collated to form a footprint of your digital world, this of course could be used for further data or identity theft, targeted phishing attacks or indeed CEO fraud with a much higher than normal chance of success, due to the trust relationship established through legit proven data.
If login credentials are involved in the breach and usable, they of course could also be used for other accounts. If you unfortunately do not practice a good password regime and reuse your login credentials from one account to another, they may be able to use the details from one “low security” account and try that on a high security account like Apple, Facebook or Google. Whilst these companies will do their very best to protect your logins from hacking or brute force attacks, they can nothing to stop someone from using the correct username and password to access your accounts- unless you of course are using Two Factor Authentication. This would not only alert you that an unauthorised login is taking place, but stop someone using those credentials elsewhere. Of course complex, unique details will thwart this from happening in the first place.”
Bill Evans, Senior Director at One Identity:
“Recently a credential verification service, VeriClouds, released a new report which is an analysis of online account credentials linked to employees of Fortune 500 companies. There were several surprising…disturbing findings in this report.
First, the report claims that the credentials of every 1 in 10 Fortune 500 staffers have been leaked. That’s pretty depressing. With all the money being thrown at cybersecurity and all the education being foisted upon those staffers, one would have thought we would be doing better than 1 in 10.
Second, the report claimed that the highest number of leaked credentials came from the financial sector – an astonishing 20%. While this appears exceedingly troubling given the regulations that organizations in the financial sector must adhere to, in retrospect, this may not be as damning as it appears. I’m not an expert in the F500, but I suspect that perhaps as many as 20% are in the financial sector so it would seem to reason that all other things being equal, that 20% of the breaches would be come from that sector. But again, the financial sector should be more secure than other sectors like manufacturing because of the regulations and since that sector is protecting all of our money.
Lastly, with some good news, the number of leaks has actually decreased 7.5% year over year. Finally, some good news in the fight against cyber threats. Congratulations to everyone!
As a cybersecurity expert, I urge everyone – from end users to other cybersecurity experts – to keep up the good fight. A nearly 8% drop in leaked credentials year over year is a great sign that maybe, just maybe, we are making progress on the war against cybercrime.”
Ryan Wilk, Vice President at NuData Security:
“These findings underscore why organizations can no longer verify individuals solely by relying on knowledge-based authentication (KBA). Stolen passwords get channeled into the dark web and provide hackers with the entry points to compromise trusted and essential organizations, including Fortune 500s. It’s critically important for major organizations – and for any organization collecting and using personally identifiable information (PII) – to take a more advanced, layered approach to authentication. Multi-layered verification methods that third parties can’t replicate – such as passive biometrics and behavioral analytics – are coming strong and delivering near 100% accuracy. This lets the organization confirm in real time, that employees and customers are genuine and not fraudsters while locking the door to bad actors and devaluating their stolen data.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.