16 million passwords have been found to have been added to Dark Web sites over the last 12-months according to a report published by cybersecurity firm ImmuniWeb.
The passwords, many of which had been obtained off the back of a 50% increase in data breaches in the first quarter of 2019, came via a whopping 4 billion compromised records in over 4,000 data breaches.
Using their own in-house technology, ImmuniWeb discovered over 21 million credentials belonging to Fortune 500 companies with 16 million dating to the last 12 months. The most popular sources for the data breaches were found to be third parties – websites and other resources unrelated to the organizations themselves followed by trust third-parties, partners, suppliers and vendors to Fortune 500 companies.
Despite years of news about data breaches and education campaigns about the need for strong passwords, the report found that basic, guessable passwords such as 12345678, abc123 and even password still remain widely used. Of the full 21 million records analyzed, the report only found 4.9 million unique passwords.
“This is an interesting glimpse into the inner-workings of underground criminal hacking markets,” Craig Young, computer security researcher for security firm Tripwire Inc.’s vulnerability and exposure research team told SiliconANGLE. “It illustrates just how easy it can be for an adversary to obtain a foothold into a target organization.”
“Some criminal hackers are very good at spear-fishing or breaching random websites, but may have little ability to directly monetize the information,” Young explained. “Others may specialize in escalating access within an organization but have little capability in the way of initially obtaining access. Underground markets typically hosted on TOR allow these threat actors to collaborate with relative anonymity.”
Jarrod Overson, director of engineering at cybersecurity company Shape Security Inc. noted that “credential stuffing is one of the most common types of attacks due to how cheap it is to perform and how successful it is.”
“Successful credential stuffing attacks provide criminals with accounts they can then use to defraud individuals and companies,” Overson said. “Attackers monetize everything from store credit, to loyalty points, to prescription drug refills.”
“Users can protect themselves by never reusing passwords and turning on two-factor authentication whenever possible,” Overson added. “Password managers like 1Password can help users manage hundreds of unique passwords across devices easily.”
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.