25.9 million business account credentials and over 543 million breach assets tied to employees in the Fortune 1000 are readily available on the criminal underground, SpyCloud reveals.
Password reuse risk
“Year after year, studies show that the use of weak and stolen credentials is the most common hacking tactic for cybercriminals, yet 76 percent of employees at the world’s largest companies are still reusing passwords across personal and professional accounts,” said Chip Witt, VP of product management for SpyCloud.
“People don’t seem to realize just how often their credentials end up in criminal hands or how stolen passwords can be used to access other accounts they think are safe.”
Regardless of security guidelines that warn against such behavior, many employees, even at the executive level, are using corporate credentials as personal logins for other accounts. When those third-party sites are subject to data breaches, reused employee logins provide criminals with easy access to corporate systems and networks.
Analysis within report is broken down by data type and sector (as defined by Fortune) to reveal the scope of breach exposure facing the largest U.S. companies across different industries.
- The credentials of 133,927 C-level Fortune 1000 executives are available for sale on the dark web.
- At 552,601 per company, employees in the telecommunications sector have by far the highest average number of exposed credentials.
- 13,897 technology sector employees’ corporate or personal systems appear to be infected with credential-stealing malware.
- In addition to corporate credentials, breaches regularly expose a wealth of personally identifiable information (PII) that enables bad actors to bypass security measures, take over accounts, and compromise enterprise networks. Over 281M PII assets of Fortune 1000 employees are available to cybercriminals.
- Despite constant warnings about the high risk of using weak passwords, “123456” and “password” are still the most commonly used among employees.
- At 85 percent, the media industry has the highest rate of password reuse. Media professionals also show an affinity for using certain passwords that would be inappropriate to publish here.
“Especially with millions of people still working from home, enterprises must be able to trust the identities of the employees, consumers, and suppliers accessing their networks,” continued Witt.
“The best way to prevent accounts from being taken over is to identify compromised credentials quickly after a breach and mitigate before criminals have time to use them. That requires a comprehensive, continuously updated database of breach data that security leaders can use to keep corporate accounts safe.”