There’s no simpler way to hack someone’s account than to enter their username and password. In fact, threat actors routinely leak users’ login credentials on the dark web, where they can be purchased by cybercriminals and fraudsters to commit further crimes.
According to research released today by Cybercrime Analytics (C2A) provider SpyCloud, researchers discovered 721.5 million exposed credentials online in 2022. Many of these credentials were harvested from third-party business applications exposed to malware.
To make matters worse, researchers also found that 72% of users whose credentials were exposed in last year’s breaches were found to be still using already-compromised passwords.
Passwords: The fastest route to enterprise data
For security leaders, this research highlights that password security — and ensuring that employees aren’t reusing compromised credentials — are essential for mitigating risks to data assets. Failure at this can result in significant exposure to account takeover attempts.
“Cybercriminals can use exposed credentials to gain illegitimate access to enterprise networks under the guise of employee and consumer accounts, opening the door for more cyberattacks such as the distribution of ransomware and malware, additional data theft, and synthetic identity creation,” said Trevor Hilligoss, director of security research at SpyCloud.
“If the credentials were freshly stolen via malware and remain active, they pose a long-term threat to corporations as criminals can use the same credentials to access accounts until the issue is identified and addressed,” Hilligoss said.
With such a high volume of exposed login credentials available online, it’s important to remind employees to select strong passwords, periodically change them (particularly if they believe they’ve been exposed online), and use a password management solution to help avoid reuse of credentials across multiple online accounts and services.