Access window with login and password on virtual screen showing password reuse of employee credentials

About 26 Million Fortune 1000 Employee Credentials Available on the Dark Web, Password Reuse Rampant

SpyCloud Breach Exposure Report shows that about 25.9 million Fortune 1000 business accounts and 543 million employee credentials were circulating on the underground hacking forums. Password reuse across personal and professional accounts, weak passwords, and info-stealing bots were blamed for leaking employee login credentials.

SpyCloud leveraged human intelligence (HUMINT) to acquire the stolen credentials immediately the breaches occurred and before the exposed credentials started circulating on the dark web.

Key findings of the 2021 Fortune 1000 Breach Exposure report

The threat intelligence firm discovered 543 million breached assets associated with the Fortune 1000 employees, marking a 29% increase from 2020.

Altogether 25,927,476 were circulating underground according to the report. This was an average of 25,927 exposed passwords per company, marking a 12% increase from 2020.

Credentials of 133,927 C-level Fortune 1000 executives were accessible to various threat actors on the dark web markets.

The telecommunications sector had the highest average number of leaked employee credentials at 552,601 per company.

The media industry had the highest password reuse rates at 85%, followed by household products (82%), hotels, restaurants & leisure (80%), and healthcare (79%). Media professionals also frequently used explicit phrases as passwords.

SpyCloud discovered 28,201 Fortune 1000 employees were likely infected by info-stealing malware. This amounted to an average of 28 infected workers per organization. The technology industry was the hardest hit with almost half (13,897) of the infections.

Over 281 million records of personally identifiable information (PII) allowing threat actors to defeat security measures, take over accounts, commit fraud, and infiltrate corporate networks were accessible to cybercriminals. Telecommunications was the most affected sector.

Password reuse on third-party sites responsible for employee credentials leak

The report found that weak and stolen credentials were a major cause of account takeovers. Meanwhile, more than three-quarters (76.7%) of all Fortune 1000 employees were reusing passwords across personal and professional accounts.

“People don’t seem to realize just how often their credentials end up in criminal hands or how stolen passwords can be used to access other accounts they think are safe,” said Chip Witt, vice president of product management for SpyCloud.

Password reuse not only affected ordinary employees but also business executives who used corporate credentials to register on third-party sites. When criminals breached those sites, they accessed Fortune 1000 employee credentials.

“If those stolen credentials contain a corporate email domain, criminals have an obvious clue that they could provide access to valuable enterprise systems, customer data, and intellectual property.”

Some reused passwords and email combinations obtained by SpyCloud were leaked in several data breaches.

“An analysis of the SpyCloud database found a 60% password reuse rate among email addresses in our database exposed in more than one breach in 2020.”

Fortune 1000 most reused passwords

SpyCloud’s Breach Exposure of the Fortune 1000 report found that the use of weak passwords such as “123456” and “password” was rampant among top Fortune 1000 employees.

The report noted that outdated policies such as 90-day password rotations forced employees to use weak passwords to avoid forgetting.

This practice contributed to password reuse as employees recycled their favorite password across accounts.

People also transformed a base password in a predictable fashion, for example, “password” became “password1” or “passw0rd.”

Some of the most commonly used passwords appeared thousands of times in breached datasets. For example, “123456” appeared 75,287 times, while “password” and “aaron431” showed up 61,762 and 36,775 times, respectively.

Breached assets associated with leaked employee credentials. SpyCloud also analyzed leaked employee credentials related to various breached assets. These assets included personally identifiable information, mobile phones, geolocation information, financials e.g. credit cards, social media accounts, and account information e.g. security questions.

The breached assets could be used to access employee credentials through targeted phishing attacks, receiving two-factor authentication texts, conducting SIM swaps and porting, or resetting account passwords.

To avoid simple and reused passwords, SpyCloud advised the organizations to monitor their employee credentials regularly. Doing so would prevent breaches associated with leaked employee credentials.

Poor password hygiene witnessed among the Fortune 1000 employees originates from human weakness. Sadly, cybercriminals expect this behavior and capitalize on it whenever an opportunity appears.

However, employees could overcome this vulnerability by using password managers to avoid the temptation of recycling weak and memorable passwords across sites.