A Swiss cybersecurity company tool has found millions of leaked and compromised corporate passwords being shared across the dark web.
Roughly 21 million credentials, belonging to people working in Fortune 500 companies, were found online by ImmuniWeb, with both usernames and passwords often stored in plaintext.
The company believes that the passwords were either stored in plaintext from the start, or they were subsequently decrypted by hackers.
To add insult to injury, the compromised passwords were, in most cases, those simple, easy to crack passwords that everyone keeps warning you about. Instances like “password”, “password1” or “passw0rd” were very common. As a matter of fact, out of the 21 million passwords, less than five million were strong (by “strong”, they mean eight or more characters, numbers and symbols, and a mix of uppercase and lowercase letters).
ImmuniWeb used a new tool called Discovery to find as many username and password combinations as possible, and then fed that information into their machine-learning system. It managed to spot fake and duplicate entries, narrowing down the list to a total of 21 million entries.
Experts are baffled at the laziness of people within Fortune 500 companies who, with large and well-paid cybersecurity departments, still couldn’t be bothered to create proper passwords.
"These numbers are both frustrating and alarming," commented Ilia Kolochenko, CEO and founder of ImmuniWeb. "Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don't even need to invest in expensive 0day or time-consuming APTs."
More details about the breach can be found here.