Expert Comments

21 Million Logins For Top 500 Firms Offered On The Dark Web

Expert(s): Security Experts
Expert(s): Security Experts

According to a recent report by ImmuniWeb, more than 21 million login credentials stolen from Fortune 500 companies have been found in various places on the dark web, many of them already cracked and available in plaintext form.

Most of them were from tech companies, closely followed by organisations in the financial industry. Entities in the healthcare, energy, telecommunications, retail, industrial, transport, aerospace and defence sectors are also on the list.

The researchers reveal a worrying statistic: “95% of the credentials contained unencrypted, or brute-forced and cracked by the attackers, plaintext passwords.”

Despite finding as many as 21 million login records, the report notes that only 4.9 million of them were unique, “suggesting that many users are using identical or similar passwords.”

Experts Comments

October 31, 2019
Craig Young
Principal Security Researcher
Tripwire
This is an interesting glimpse into the inner-workings of underground criminal hacking markets. It illustrates just how easy it can be for an adversary to obtain a foothold into a target organization. Some criminal hackers are very good at spear-fishing or breaching random websites, but may have little ability to directly monetize the information. (Some may be capable but prefer to minimize their risk exposure.) Others may specialize in escalating access within an organization, but have little .....Read More
This is an interesting glimpse into the inner-workings of underground criminal hacking markets. It illustrates just how easy it can be for an adversary to obtain a foothold into a target organization. Some criminal hackers are very good at spear-fishing or breaching random websites, but may have little ability to directly monetize the information. (Some may be capable but prefer to minimize their risk exposure.) Others may specialize in escalating access within an organization, but have little capability in the way of initially obtaining access. Underground markets typically hosted on TOR allow these threat actors to collaborate with relative anonymity. The best organizational defense against this class of threats is to employ proper multi-factor authentication. If a password alone is insufficient to gain access, password dumps become virtually worthless.  Read Less
October 31, 2019
Stuart Sharp
VP of Solution Engineering
OneLogin
The scariest takeaway from this discovery is that many companies will never know their cloud services have been compromised. It’s only when secret information comes to light in a public domain, or attackers attempt invoice payment redirection that the account compromise becomes obvious. Unless MFA is in place, once login credentials are compromised, attackers can access highly sensitive company information. Organisations need to constantly audit cloud services and control access and protect.....Read More
The scariest takeaway from this discovery is that many companies will never know their cloud services have been compromised. It’s only when secret information comes to light in a public domain, or attackers attempt invoice payment redirection that the account compromise becomes obvious. Unless MFA is in place, once login credentials are compromised, attackers can access highly sensitive company information. Organisations need to constantly audit cloud services and control access and protect authentication and authorisation using a combination of Privileged Access Management and MFA.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.
SUBMIT

You may also like

DNA Testing Firm Discloses Data Breach Affecting 2.1 Million People

Data Hacked For 400,000 LA Patients

IKEA Suffering Ongoing “Reply-Chain” Email Attack

Cybersecurity Expert Reaction On UK’s Financial Regulator Scraps 90-day Authentication...

DNA Testing Firm Discloses Data Breach Affecting 2.1 Million People

Panasonic Becomes Latest Victim Of Data Breach – Security Expert...

Clearview’s £17 Million Fine For Processing 10+ Billion Images Is...

Booz Allen Report On CISOs And China Quantum Computing Risks,...

Experts Reactions On Sky Broadband Hack Warning

Ransomware Set To Break Records This Black Friday 2021

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts