What’s the fastest way for a cybercriminal to get into a company’s environment and cause chaos?
If you answered “a stolen legitimate password”, you’re right. Cybercriminals love nothing more than getting their hands on an employee password that lets them slip into systems undetected to steal data, deploy ransomware or work other mischiefs – especially a privileged administrator or executive password.
Unfortunately for businesses, bad actors can often accomplish their goal without phishing. It’s become easier than ever for them to make that dream a reality thanks to the boatload of password data that has travelled to the dark web. But there are a few things every organisation can do to keep their company passwords safely in-house instead of on the dark web.
The cold, hard facts that tell the tale of exactly how much danger your business is in.
Dark Web Data is the Reason That It’s Always Password Season
The dark web has always been a clearinghouse for passwords. As the years have gone by, more and more stolen records, passwords, financial information and other data has made its way to the dark web through myriad data breaches. It’s a vicious cycle. Every new breach brings a fresh influx of data into the pool, and every influx of data can spawn a new breach. This pattern will keep on repeating, making the danger of credential compromise bigger every year. Credentials were the top type of information stolen in data breaches worldwide in 2020, and cybercriminals were quick to capitalize on their successes. An estimated 20 billion fresh passwords made their way to the dark web last year.
This year’s giant influx of fresh passwords from events like the RockYou 2021 leak just keeps priming the pump for new cybercrimes, especially password-fuelled schemes like credential stuffing, the gateway to all sorts of bad outcomes like ransomware, and business email compromise (which was the most expensive cybercrime of 2020). Earlier this summer, the personally identifying data and user records data of 700M LinkedIn users appeared on a popular dark web forum – more than 92% of LinkedIn’s estimated total of 756M users. That created an enormous splash that will ultimately ripple out into a whole new world of opportunity for cybercrime.
Big companies aren’t doing any better either. In a 2021 study, researchers found the passwords for 25.9 million Fortune 1000 business accounts floating around on the dark web. If cybercriminals felt like they really needed a privileged password to get the job done, that wasn’t a problem either. Credentials for 133,927 C-level Fortune 1000 executives were also accessible to bad actors on the dark web. Altogether, researchers determined that over 281 million records of personally identifiable information (PII) for employees of Fortune 1000 companies were readily available in dark web markets and dumps, making it easy for bad actors to find and use in hacking and fraud operations.
Solve five of the most exhausting remote and hybrid security problems fast with this handy infographic.
Reuse and Recycling is Killing Companies
Far and away, password reuse and recycling is the biggest obstacle that companies face when trying to build a strong cybersecurity culture and keep their data safe. An estimated 60% of passwords that appeared in more than one breach in 2020 were recycled or reused, a factor that every company should keep in mind when creating and setting password security policies. Employees aren’t making the mistake of reusing passwords from ignorance either. Over 90% of participants in a password habits survey understood the risk of password reuse but that didn’t stop them because 59% admitted to doing it anyway that disconnect is a huge problem for businesses everywhere.
Bad Password Hygiene is Putting Your Data in Danger
More than 60% of employees use the same password across multiple work and home applications.
82% of workers admitted sometimes reusing the same passwords and credentials
44 million Microsoft users admitted in a survey that they often use the same password on more than one account
43% of Microsoft’s survey respondents have shared their work password with someone in their home for another use
About 20% of employees have reused their work password for online shopping, social media or streaming accounts
That sloppy password handling is directly responsible for data breaches. In fact, over 30% of the respondents in Microsoft’s survey admitted that their organization has experienced a cybersecurity incident as a result of compromised user credentials that had been shared with people outside their companies. That danger is has grown. People worldwide created an average of 15 new online accounts per person during the main thrust of the pandemic. That’s a lot of new passwords to create and remember. It also means that many more passwords were recycled or reused in 2020 than in past years making password exposure through cybercrime a strong possibility.
What Do Passwords Go for on the Dark Web Anyway?
It depends on the password, but stolen credentials can sell for a pretty penny. For a legitimate stolen corporate network credential, you’re looking at around over $3,000. But that is far from the top price a really useful password can fetch in the booming dark web data markets. Among the most valuable leaked credentials are those magic keys that unlock privileged access to corporate networks. Those types of credentials can go for as much as £100,000. That’s a price some cybercrime gangs will gladly pay to enable them to launch ransomware attacks that can fetch them millions in ransom money.
What You Can Do About It
Protecting business credentials from exposure on the dark web is an important part of creating a sturdy defence for any business. Encouraging safe password generation and handling policies helps build a strong cybersecurity culture that keeps information security risks at the top of everyone’s mind, encouraging them to practice good password habits.
The following tips are useful for you to start protecting your credentials:
Enable multifactor authentication
Never allow an employee to reuse or iterate a password
Configure software to make password reuse impossible
Require regular password changes
Make it standard to create a unique password for every account
Do not allow passwords to be written down or stored in text files
Use a password manager and make it available for employees
These may seem like common sense procedures for people who regularly handle information security but making sure that everyone knows that the company takes password reuse and handling seriously gives employees a sense of how seriously they need to take it too. Do a little social engineering of your own to make sure that everyone feels like they’re part of the security team.
Implement Solutions That Really Fix the Problem
Forint's suite of tools offer companies a full stack of technologies which you can use to keep your passwords safe and away from cybercriminals.
Security awareness training is good for more than just phishing, and BullPhish ID delivers. Choose from hundreds of modules and video lessons in 8 languages. While it’s best known for the way that it enables smooth and effective phishing resistance training, you can also train employees on cybersecurity topics like compliance, password handling, ransomware and a host of other information security risks.
Protect systems and data in days, not weeks with Passly’s speedy installation. Passly seamlessly integrates with over 1,000 common business applications for no-fuss configuration. Get quick and easy access to SSO applications and passwords with the ability to automatically fill in the blanks for web logins. It also comes packed with powerful credential protection tools like secure password vaults for password management, automated password resets and multifactor authentication.
Dark Web ID
Keeps watch in every nook and cranny of the dark web to sniff out any company passwords that may appear in dark web data markets or dumps and immediately alerting you to danger. Gain powerful protection from the hazards of dark web credential exposure with 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses that gets to work immediately.
Contact us today to get started. Our solution experts are ready to help you protect company passwords so that they stay inside your office and out of the hands of cybercriminals on the dark web.