Corporate credentials for sale in the dark web

Shimrit Tzur-David | March 3, 2021

Corporate credentials for sale in the dark web: how to protect your users and data

Passwords of corporate employees are valuable. However, despite organizations’ best efforts to protect their systems, user credentials keep ending up on the Dark Web forums for sale. Credentials are targeted in a wide range of attacks, from simple phishing to complicated brute-force attacks.

Every year brings many new cybersecurity technologies from many vendors, but even with an abundance of innovation, breaches keep hurting organizations across all industries and verticals.

You would think that cybersecurity companies would be somewhat immune to these problems, given their resources and knowledge. However, according to ImmuniWeb research, a staggering 97% of cybersecurity companies have data leaks and other security incidents exposed on the Dark Web.

Moreover, the research revealed that 29% of stolen passwords are weak, with less than eight characters or without uppercase letters, numbers, or other special characters. Employees from 162 companies (around 40%) reuse identical passwords on different breached accounts. And we are talking about cybersecurity industry employees – so awareness is not the issue here.

So when the cybersecurity companies who should be well prepared to protect their employee data fail to do so, maybe the problem is not the lack of protections around the passwords but the passwords themselves. The time has come to question the whole idea of passwords as a suitable authentication method.

High severity account takeover exposures are on the rise
The use of stolen credentials is the number one hacking tactic in recent years due to its relative ease and effectiveness. According to LastPass, 91 percent of people know password reuse is insecure, yet 75 percent do it anyway. It looks like the whole idea of a password is broken, as demonstrated by the unprecedented growth of credential-based attacks.

According to Arctic Wolf, Since March 2020, the number of high-severity account takeover exposures where corporate credentials with plaintext passwords were exposed, has increased by 429 percent.

No industry is immune. In the wake of the COVID-19 health crisis, the education industry has been one of the prime targets, reporting three times more ATO incidents than the legal, healthcare, financial services, banking, and manufacturing industries combined.

What can you do to protect your organization?

Here is the catch-22 of password-based authentication: password and credential reuse is pervasive across multiple sites beyond your control, a third-party breach could leave your organization exposed.

It is not much you can do to prevent that, but some strategies can at least minimize your exposure:

  • Acquire visibility into dark web credential leaks. Brute-force and credential stuffing attacks are often executed through botnets using credentials bought and sold on the dark web. By knowing when your organization credentials have been offered for sale, you can take action to protect your assets.
  • Leverage password managers. Reduce your users’ cognitive load by enabling password management software to auto-generate and securely store strong passwords. However, the master password for a password manager is still an Achilles heel of this strategy.
  • Leverage multi-factor authentication. MFA provides additional authentication and the user’s credentials, making credential stuffing and brute-force attacks more difficult. However, there are still multiple ways to bypass MFA protections.
  • Disable/delete expired user accounts. Set IT policies that delete, disable, or expire user credentials according to pre-set rules and procedures.
  • Training and awareness. Set up regular training and awareness programs to educate users on proper password hygiene. Unfortunately, this advice will fall on deaf ears, as 75% of people would still reuse their password despite knowing not to do so.

The prevalence of credential leaks highlights the impossible task organization defenders are facing. Password reuse on third-party sites beyond the borders of the organization’s perimeter – especially those sites that serve specific industry verticals – is the main culprit behind most breaches. And apart from asking employees nicely not to do that – there is nothing a defender can do.

So awareness is not the issue. The real issue is the over-reliance on passwords for user authentication in the first place.

We can’t simply wish this problem away. According to LastPass, an average employee keeps track of 191 passwords. We have to face the music and realize that we cannot change human behavior. And humans will always opt for the path of less resistance – you cannot expect your users to come up with 191 unique login/password combinations that are at the same time complex enough to pass the requirements. But that is exactly what we are asking them to do.

We can’t expect employees overwhelmed with passwords to keep good password hygiene. It is simply humanly impossible at this point.

Addressing the root cause: the password

There’s one way to fully eliminate the vast majority of data breaches, ransomware attacks, and other devastating cyber incidents, and that is to stop depending on passwords. Secrets memorized by humans will always leave a huge crack for attackers, so why not eliminate this blind spot?

Authentication based on something the user knows (such as a password, passphrase, or PIN code) is easy to steal, share or reuse. Moreover, it requires constant management and handling by both users and IT managers.

Passwordless authentication verifies users’ identities without relying on memorized secrets. Instead of passwords, identity can be verified based on:

  • A “possession factor,” which is an object that uniquely identifies the user, such as a one-time password generator, a registered mobile device, or a hardware token
  • An “inherent factor” like a person’s biometric signature such as a fingerprint, face ID, or retina scan

Passwordless MFA is inherently more secure, offers a better user experience, lowers the TCO and IT overhead, and offers complete visibility into the identity and access management by eliminating the possibility of credential reuse, sharing, or exposure.
Learn how you can start your passwordless transition today.