Please fill in the form below to subscribe to our blog

Massive Dark Web Dump Exposes Thousands of Passwords

April 30, 2020
a black laptop screen with a yellow skull and crossbones and the words dark web

Dark Web Data Dumps Create Huge Risk for Every Business

Business cybersecurity is always a rollercoaster ride, but the last two years have been especially loaded with twists and turns. Every organization is still working to overcome challenges brought on by the global pandemic, but treats are waiting around every corner forcing companies to play catch up while they bat back threats like ransomware, phishing and business email compromise. But a larger problem is dominating the board right now, and every business needs to be on top of it – a historic rise in data breaches has led to a historic rise in exposed credentials on the dark web.

Learn how to defeat terrifying cybersecurity monsters to keep systems & data safe in a dark world! READ IT IF YOU DARE!>>

Big Agencies Have Big Password Problems

Dark Web markets were abuzz in early 2020 from a large dump of nearly 25,000 email addresses and passwords from major sources, and potentially much more compromising information that could inflict serious damage. The credentials are reputed to be from public-health-focused organizations including the World Health Organization, The Gates Foundation, the US National Institutes of Health, and similar agencies. Even though these credentials weren’t new, they were still a problem. Cybercriminals could leverage that information to improve the accuracy of future attacks. WHO announced that cyberattacks against it have increased fivefold at the onset of the COVID-19 pandemic. Many of those attacks were by bad actors looking to steal information about COVID-19 research and vaccine development to sell or trade for profit to corporate or intelligence community buyers

Even though password security is a well-known risk, many agencies have failed to take it seriously, continuing to use outdated tools and sloppy handling habits – an expert found that 48 passwords from the WHO dump were “password”! Reusing and recycling passwords is also a fast road to ruin. Huge lists of passwords stolen in previous cyberattacks around the world are available on the dark web for cybercriminals to use in attacks. An estimated 60% of passwords that appeared in one or more breaches in 2020 were recycled or reused. Businesses are in even greater danger if an employee reuses a password at work that they’ve used at home. At least 60% of people reuse their favorite passwords across multiple sites regularly, driving up the chance that it’s already compromised. 

Our partners typically realize ROI in 30 days or less. See why nearly 4,000 MSPs in 30 countries choose to grow with ID AGENT solutions and support. BECOME A PARTNER>>

Giant Password Leaks Flood Business with Risk

The giant influxes of fresh passwords from events like the RockYou 2021 leak just keep priming the pump for new cybercrimes, especially password-fueled schemes like credential stuffing, the gateway to all sorts of bad outcomes like ransomware, and business email compromise. The RockYou2021 password leak was a wide-ranging collection, comprised of both new, previously unavailable passwords and passwords that may have appeared on the dark web as the spoils of past breaches. It also boasted a large variety of passwords from myriad sources that range from 6 to 20 characters with non-ASCII characters and white spaces removed. The RockYou2021 password leak is comparable in scale to the famed “Compilation of Many Breaches,” or COMB, a 3.2 billion collection of email-and-password pairs that hit the dark web earlier in 2021. A portion of the passwords in the RockYou2021 dump was also included in the COMB dump, data that was collected by cybercriminals in previous breaches at well-known companies like LinkedIn and Netflix 

In July 2021, the personally identifying data and user records data of 700M LinkedIn users appeared on a popular dark web forum – more than 92% of LinkedIn’s estimated total of 756M users. That created an enormous splash that will ultimately ripple out into a whole new world of opportunity for cybercrime. This wasn’t just a quick scoop up of average, basic user data. This treasure trove for cybercriminals contained a plethora of sensitive and personally identifiable information that can be used to facilitate all manner of cybercrime from spear phishing to business email compromise scams or identity theft. It’s a danger to both workers and businesses. Experts have warned LinkedIn users that extensive personally-identifying information (PII) may have been exposed in this incident.  

The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>

Everyone Made New Passwords in 2020

In a new global study conducted by Morning Consult for IBM, the technology vendor examined the impact of the pandemic on consumer security behaviors. As everyone signed up for account after account, people just got tired of trying to think up new passwords. People worldwide created an average of 15 new online accounts per person during the main thrust of the pandemic. That’s a lot of new passwords to create and remember. It also means that many more passwords were recycled or reused in 2020 than in past years making password exposure through cybercrime a strong possibility. As people created all of those new accounts, coming up with a new, strong password usually wasn’t a priority – 82% of those surveyed admitted that they had regularly reused the same passwords and credentials. 

That’s a problem for every business. Rampant password reuse and recycling is a bane for IT teams because it creates risk unnecessarily and they’ve already got more than enough to worry about. More than 80% of damaging incidents are caused by password disasters. A huge part of keeping your important business information and sensitive files safe is making good, strong passwords and reinforcing them with powerful security tools to protect them from hackers. Unfortunately, 42% of respondents in a cybercrime survey said that their organization had been compromised because of a bad, stolen, reused or cracked password in 2020, making stamping out reuse and recycling a major priority for everyone.

Is someone’s behavior suspicious? Learn to spot trouble fast with 5 Red Flags That Point to a Malicious Insider at Work.  DOWNLOAD IT>>

Password Dumps and User Graveyards Are Trouble Spots

Password dumps are extremely dangerous for every business. In the 2021 Data Breach Investigations Report, Verizon researchers noted that approximately 60% of data breaches involve improper use of credentials. Obtaining passwords, whether it’s from phishing or a dark web password dump, gives cybercriminals an express route to the heart of businesses. Just one privileged password can not only give bad actors access to their victim’s systems and data, but also to easy routes that allow them to prey on their victim’s clients and associates.  

Users love to recycle and reuse passwords to make it easier on themselves to remember their logins, exposing businesses to credential compromise risk. In a 2021 survey, 82% of workers admitted sometimes reusing the same passwords and credentials as they’d used in old accounts. Part of that impetus is that everyone has too many passwords to keep track of these days, and we’ve all got password-protected accounts that we haven’t used in years. Forbes magazine reports that 70% of consumers say that they have over 10 password-protected online accounts, and 30% say that they have “too many to count”.   

But the kicker is they’re not just recycling old corporate passwords. They’re also reusing old passwords from games, shopping, social media and other online accounts at home and at work frequently, and that’s even more dangerous. About three-quarters of employees reuse work passwords for their personal accounts. With over 2 billion new credentials added to the dark web in 2020, the probability that a password from one of those zombie accounts is going to come back and bite your organization is high.  

The Computer Security To-Do List helps companies build a strong security culture. DOWNLOAD IT NOW>>

ID Agent Can Help with Fast, Affordable Protection Against Credential Compromise

Passly includes an array of identity and access management tools cited by experts as key security moves that add immediate protection against password shenanigans. Your savings and benefits begin immediately with robust functionality. Essentials like multifactor authentication and single sign-on make remote management and access control easy. Automated password resets will make your IT team happy and give them more time.   

Dark Web ID enables you to get a clear picture of your company’s credential compromise threats from dark web sources. Our 24/7/365 always-on monitoring alerts businesses to credentials appearing on the dark web that may have been stolen or phished to mitigate the risk of bad actors using a stolen password to gain access to your systems and data. Automated alerts and reporting means that your team doesn’t need to spend time staring at a dashboard or pulling reports.   

BullPhish ID improves your staff’s security awareness and increases phishing resistance. But they’ll learn about much more than just phishing including compliance, password safety, security hygiene and more, giving every employee a solid grounding in cybersecurity pitfalls and best practices. Choose from our plug-and-play complete training modules and phishing simulations or customize the content to reflect the unique industry risks those employees face daily.   

See them in action in these short demonstration videos:   

The ID Agent digital risk protection platform has the strong solutions that every business needs to protect their systems and data from today’s biggest threats. Contact our solutions experts today to learn how your business can benefit and receive a free, personalized demonstration. 

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!