What’s the fastest way for a cybercriminal to get into a company’s environment and cause chaos? If you answered “a stolen legitimate password”, you’re right. Cybercriminals love nothing more than getting their hands on an employee password that lets them slip into systems undetected to steal data, deploy ransomware or work other mischiefs – especially a privileged administrator or executive password. Unfortunately for businesses, bad actors can often accomplish their goal without phishing. It’s become easier than ever for them to make that dream a reality thanks to the boatload of password data that has traveled to the dark web. But there are a few things every organization can do to keep their company passwords safely in-house instead of on the dark web.
Dark Web Data is the Reason That It Is Always Password Season
The dark web has always been a clearinghouse for passwords. As the years have gone by, more and more stolen records, passwords, financial information and other data has made its way to the dark web through myriad data breaches. It’s a vicious cycle. Every new breach brings a fresh influx of data into the pool, and every influx of data can spawn a new breach. This pattern will keep on repeating, making the danger of credential compromise bigger every year. Credentials were the top type of information stolen in data breaches worldwide in 2020, and cybercriminals were quick to capitalize on their successes. An estimated 20 billion fresh passwords made their way to the dark web last year.
This year’s giant influx of fresh passwords from events like the RockYou 2021 leak just keeps priming the pump for new cybercrimes, especially password-fueled schemes like credential stuffing, the gateway to all sorts of bad outcomes like ransomware, and business email compromise, the most expensive cybercrime of 2020. Earlier this summer, the personally identifying data and user records data of 700M LinkedIn users appeared on a popular dark web forum – more than 92% of LinkedIn’s estimated total of 756M users. That created an enormous splash that will ultimately ripple out into a whole new world of opportunity for cybercrime.
Big companies aren’t doing any better. In a 2021 study, researchers found the passwords for 25.9 million Fortune 1000 business accounts floating around on the dark web. If cybercriminals felt like they really needed a privileged password to get the job done, that wasn’t a problem either. Credentials for 133,927 C-level Fortune 1000 executives were also accessible to bad actors on the dark web. Altogether, researchers determined that over 281 million records of personally identifiable information (PII) for employees of Fortune 1000 companies were readily available in dark web markets and dumps, making it easy for bad actors to find and use in hacking and fraud operations.
Reuse and Recycling is Killing Companies
Far and away, password reuse and recycling is the biggest obstacle that companies face when trying to build a strong cybersecurity culture and keep their data safe. An estimated 60% of passwords that appeared in more than one breach in 2020 were recycled or reused, a factor that every company should keep in mind when creating and setting password security policies. Employees aren’t making the mistake of reusing passwords from ignorance either. Over 90% of participants in a password habits survey understood the risk of password reuse but that didn’t stop them because 59% admitted to doing it anyway that disconnect is a huge problem for businesses everywhere.
Bad Password Hygiene is Putting Your Data in Danger
- More than 60% of employees use the same password across multiple work and home applications.
- 82% of workers admitted sometimes reusing the same passwords and credentials
- 44 million Microsoft users admitted in a survey that they often use the same password on more than one account
- 43% of Microsoft’s survey respondents have shared their work password with someone in their home for another use
- About 20% of employees have reused their work password for online shopping, social media or streaming accounts
That sloppy password handling is directly responsible for data breaches. In fact, over 30% of the respondents in Microsoft’s survey admitted that their organization has experienced a cybersecurity incident as a result of compromised user credentials that had been shared with people outside their companies. That danger has grown. People worldwide created an average of 15 new online accounts per person during the main thrust of the pandemic. That’s a lot of new passwords to create and remember. It also means that many more passwords were recycled or reused in 2020 than in past years making password exposure through cybercrime a strong possibility.
What Do Passwords Go for on the Dark Web Anyway?
It depends on the password, but stolen credentials can sell for a pretty penny. For a legitimate stolen corporate network credential, you’re looking at around over $3,000. But that is far from the top price a really useful password can fetch in the booming dark web data markets. Among the most valuable leaked credentials are those magic keys that unlock privileged access to corporate networks. Those types of credentials can go for as much as $120,000. That’s a price some cybercrime gangs will gladly pay to enable them to launch ransomware attacks that can fetch them millions in ransom money.
What You Can Do About It
Protecting business credentials from exposure on the dark web is an important part of creating a sturdy defense for any business. Encouraging safe password generation and handling policies helps build a strong cybersecurity culture that keeps information security risks at the top of everyone’s mind, encouraging them to practice good password habits.
- Enable multifactor authentication
- Never allow an employee to reuse or iterate a password
- Configure software to make password reuse impossible
- Require regular password changes
- Make it standard to create a unique password for every account
- Do not allow passwords to be written down or stored in text files
- Use a password manager and make it available for employees
These may seem like common sense procedures for people who regularly handle information security but making sure that everyone knows that the company takes password reuse and handling seriously gives employees a sense of how seriously they need to take it too. Do a little social engineering of your own to make sure that everyone feels like they are part of the security team.
Implement Solutions That Really Fix the Problem
Optistar Technology Consultants offers businesses cybersecurity solutions that can be used to protect passwords as well as data to keep it out of the hands of cybercriminals.
Security Awareness Training – Security awareness training is good for more than just phishing. Employees can also be trained on cybersecurity topics like compliance, password handling, ransomware and a host of other information security risks.
Dark Web Monitoring – Optistar’s Dark Web Monitoring keeps watch in every nook and cranny of the dark web to sniff out any company passwords that may appear in dark web data markets or dumps. Gain powerful protection from the hazards of dark web credential exposure with 24/7/365 human and machine-powered monitoring of business credentials, including domains, IP addresses and email addresses. Read more here.
At Optistar, we offer a full suite of industry-leading Cyber Defense solutions to keep you and your company safe and operating with a peace of mind most professional services firms do not have.
Be sure to visit our recently published blog articles for more cybersecurity and technology tips!