There have been many studies and investigations into the number of stolen credentials available on the dark web. However, a new report that was just released is a bit different: it focuses on credentials belonging to global Fortune 500 organizations, and used machine learning (ML) techniques to clean and verify the collected data.
The results are more disturbing than usual because the study focuses on global corporations and the results have been cleaned — but remain shocking. Geneva, Switzerland-based firm ImmuniWeb used the OSINT elements of its Discovery product to crawl the dark places used to correlate and sell stolen credentials, gathering what it could. It then used its own ML models to “find anomalies and spot fake leaks, duplicates or default passwords set automatically – that were excluded from the research data.”
Despite this cleaning, it found more than 21 million different credentials belonging to the Fortune 500 companies; more than 16 million of which were compromised during the last 12 months. It is worth stressing that these all have cleartext passwords that were either stolen in cleartext, or have subsequently been cracked by the hackers.
“These numbers are both frustrating and alarming,” commented Ilia Kolochenko, CEO and founder of ImmuniWeb. “Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive 0day or time-consuming APTs.”
One of the most disturbing aspects of the discoveries is the large number of common and simple passwords. This would not be surprising from small companies with small or even no security teams — but is hard to understand in large corporations with the resources to train their staff and implement password management processes. This is worrying.
The password ‘password’ is among the top five most popular passwords in eight of the ten industry sectors included in the survey. It is not included within the technology sector. Here the most popular password is ‘passw0rd’ — and the fifth most popular is ‘password1’. Out of the 21 million collected credentials, only 4.9 million are genuinely unique passwords, clearly suggesting that even Fortune 500 companies have very weak password policies.
Use of weak passwords (defined by ImmuniWeb as being of 8 characters or less, or found in common dictionaries and therefore easy to brute force) is rampant. From the ten sectors, retail is the worst offender with 47.29% of the passwords being weak. The energy sector is best, but still at 32.56%. While the absolute numbers are shocking, the relative percentages cannot be assumed accurate for the full complement of Fortune 500 passwords. These are cleartext credentials. Strong and complex passwords may not have been cracked so will not appear in the figures, which are necessarily biased towards the weaker ones.
This doesn’t diminish the worrying aspects of the study — like an average of 11% of all passwords from each breach being identical; or 42% of all stolen passwords being somehow related either to the company name or the third-party website service from which they were stolen.
Two interesting discoveries in the study are the number of credentials that have been exposed via breaches of adult-oriented websites, and the relationship between phishing websites and the companies breached.
Technology, financial and energy are the most common sectors with stolen credentials coming via adult websites. Here, the surprise is not the source, but that users have utilized their business rather separate personal accounts to log in. “There is no clear answer to this,” Ilia Kolochenko, CEO and founder of ImmuniWeb told SecurityWeek. But he noted that “with the Ashley Madison and AdultFriendFinder breaches, many .gov and .gov.uk emails figured amid their users.”
The second discovery is a statistical relationship between criminal phishing infrastructures and the stolen credentials. “The number of squatted domains and phishing websites per organization is proportional to the total number of exposed credentials,” says the report. “The more illegitimate resources exist, the more credentials can be found for the organization’s personnel.”
Statistically, this suggests that concerted efforts to phish a company will succeed. “I think there is a traceable nexus between cybersecurity hygiene (e.g. less vulnerable websites, timely removed phishing pages, decent SSL encryption, etc) and the data breaches,” Kolochenko told SecurityWeek. “Careless and negligent companies likely have weaker password policies, no or immature vendor risk management, nascent security awareness among its employees, and so on. All this boosts their chances to get hacked directly or via third parties.”
This report is full of facts and statistics on stolen credentials, but very light on any interpretation of those facts — even the basic implication that Fortune 500 companies have much to learn and do on their password policies. This is by design. “I would not make definitive conclusions based on the data,” Kolochenko told SecurityWeek. “First of all, many data breaches have never been detected and probably never will be; hence any research will miss some data. Moreover, one’s interpretations may consider a wide spectrum of factors but miss an essential one thereby rerouting causation into the wrong direction. Many illuminating assumptions can be made on the data, and we are keen to hear from the industry how they would construe the data.”
Related: California to Ban Weak Passwords