Stephanie Hurd

By: Stephanie Hurd on October 6th, 2019

Print/Save as PDF

Are Your Business Network Credentials for Sale on the Dark Web?

Cybersecurity | Threat Prevention

You use password-protected applications for everything from banking and financial management to planning vacations and socializing. In the workplace, sign-in credentials connect you and your employees to business applications and online services like payroll processing, appointment scheduling, invoicing, and every other confidential function of your business.

You’re told to keep professional and personal credentials separate but changing passwords regularly is hard enough without keeping track of multiple passwords in play at any given time.

Criminals bank on you using the same credentials across multiple platforms when they purchase user credentials on the dark web. They purchase stolen credentials for platforms like Amazon, eBay, Walmart, AppleID, and others for about $10-$15 per credential, hoping at least some of those user IDs and passwords are shared across more valuable platforms like banking or finance institutions.

Better yet, they might use those stolen credentials to sign in to your work email account. They’ll monitor your communication for weeks, sometimes months, learning patterns and nuances necessary to craft a perfectly disguised phishing email to do one of the following:

  • Collect credentials from other unsuspecting users who think they’re sharing information with a trusted source (that’s you).
  • Transfer money into a fraudulent account.
  • Launch a ransomware attack on you or a contact’s business.

How Do Cybercriminals Steal Credentials?

There were many prominent data breaches last year ranging from Facebook to Orbitz. Typically, hackers sit on stolen information for a bit before placing the data for sale on the dark web. This lets you get comfortable and decreases the likelihood of you diligently changing credentials with every breach.

MyFitnessPal was breached in March of 2018, but it took about a year for stolen credentials to start appearing for sale on the dark web

The reality is, digital credentials are among the most valuable assets found on the dark web, and nearly half of all consumers are impacted. According to CA Technologies 2018 Digital Trust Study, 48%  of all consumers currently use or have used the services of organizations involved in a publicly disclosed data breach.Consumers Impacted by Data Breaches Infographic

What is the Dark Web?

The dark web is a part of the internet not available to traditional web browsers and search engines. While there are legitimate purposes to the dark web, it is estimated that over 50% of all sites on the dark web are used for criminal activities, including the disclosure and sale of business credentials. Companies are often unaware that their users’ credentials may be for sale on the dark web until it’s too late.

Steps to Protect Your Credentials from Cybercriminals

Requiring employees to change passwords regularly and implementing password complexity requirements are the first steps to protecting your business network from cybercriminals using stolen credentials.

Next, activating additional sign-in security features like two-factor authentication (2FA) helps protect your company in the event an unauthorized third party gains access to active sign-in credentials.

Finally, knowledge and user education are a key part of the best defense against cybercriminals.

Its likely users will find constant password changes and 2FA annoying but educating them on the consequences of not taking those actions seriously helps motivate them to take more personal responsibility for the security of their credentials.

Additionally, there are services available that scan the dark web for everything from an individual user’s information to any credentials associated with your company’s email domain. These reports help alert you to the information currently available for sale on the dark web. This information allows you to notify individual users who need to change passwords that have been breached as well as educate users on how to better protect themselves from similar breaches in the future.

cybersecurity services