Our Annual Identity Exposure Report is the gift that keeps on giving – not only are we able to analyze trends from the data we recaptured last year, but we’re also able to dig into the exposure of employees at the world’s most sophisticated and largest enterprises (Fortune 1000 and London’s FTSE 100). Our analysis puts into perspective how criminal underground trends impact organizations and how individuals’ cyber habits contribute to identity exposure.
While some things change, others stay the same. One thing that’s changing is that criminal tactics are shifting to using credentials and other authentication data siphoned from malware-infected devices rather than just relying on combo lists and breach databases. Alternatively, one thing that has stayed the same is that users’ cyber habits are still questionable, with employee password hygiene remaining subpar.
This year’s reports cover it all, including which industries have the most malware-infected employees and consumers, the worst offenders of password reuse, the sectors with the most exposed PII, and a crowd favorite that results in groans instead of applause: the most popular passwords of Fortune 1000 and FTSE 100 employees.
Below are some of the highlights from our key findings.
Malware infections create significant exposure on both sides of the pond
It’s well known that login credentials and personally identifiable information (PII) are abundant on the darknet. But contrary to popular belief, that information doesn’t always come from massive data breaches and large-scale cyberattacks.
Devices infected by information-stealing malware – known as infostealers – are just as likely to be the culprit. For example, across our entire database, SpyCloud researchers recovered 721.5 million exposed credentials from the criminal underground last year, and 48.5% (349.6 million) of those came from botnet logs.
When a device is infected, the infostealer collects logs (also known as botnet logs) that contain important data such as credentials, PII, device fingerprints, and browser session cookies. With this fresh and highly accurate data, the malicious actors’ success rate of infiltrating an organization or committing fraud and other cybercrimes increases exponentially. And we learned that both Fortune 1000 and FTSE 100 enterprises are equally exposed due to malware infections:
We found a total of 30.92 million infected employees and consumers in our data sets tied to Fortune 1000 companies and 675,327 to FTSE 100 and subsidiaries.
Of the 725.63 million Fortune 1000 breach assets (individual pieces of data) we recovered, 56.6% came from botnets (410.52 million). Likewise, of the 52.25 million FTSE 100 breach assets, 58.6% are from botnets (30.64 million).
Digging down into PII data, we found a similar pattern: 53.96% of Fortune’s 1000 and 56% of FTSE’s PII assets are from botnets.
This data indicates that enterprises can have high-severity exposure that puts them at extreme risk of account takeover, fraud, and other crimes. And this risk will only grow, considering the rising popularity of infostealers and the explosion of marketplaces that sell botnet logs. These markets are especially popular with initial access brokers (IABs), a specialized group catering to ransomware operators, who leverage malware-exfiltrated data to provide ransomware groups access to organizations’ networks and systems.
Making matters worse, even a single infected device can expose hundreds of credential pairs since each employee uses dozens of work applications – we’re talking cloud email and office applications, enterprise SSO, cloud hosting environments, customer relationship managers, payroll apps, video conference platforms, and much more.
This year, our report includes a new data set: we were able to identify exposed credentials from these types of applications associated with Fortune 1000 and FTSE domains. We recaptured a total of 223,098 credential sets for these applications collected by criminals from Fortune 1000 enterprises and 28,549 credential sets from FTSE 100 and subsidiaries, which respectively allow access to 56,006 and 7,502 cloud-based applications. IT typically doesn’t have control of these third-party applications, which means the lack of monitoring creates blind spots while giving bad actors another entry point into the enterprises.
Cloning employees’ digital identities is easy with stolen session cookies
Malware-exfiltrated data gives cybercriminals a big head start against organizations, but stolen session cookies make their job far too easy because these cookies/tokens are used as authentication of users on a website. This often allows cybercriminals to sidestep multi-factor authentication once exposed. With these tokens in hand, they can impersonate an employee without any friction and hijack a session – taking over accounts, escalating privileges inside the network, stealing data, launching attacks including ransomware, and more. And since they are all but guaranteed success with session cookies, cybercriminals don’t need a lot of other data to compromise an organization.
We recaptured a total of 1.87 billion cookies from Fortune 1000 enterprises and 55.41 million cookies for FTSE 100 companies and their subsidiaries. Although the sector categories are different between Fortune 1000 and FTSE 100, two of the sectors they have in common are in the top five on each list in the category of most malware-siphoned cookies: retail (second highest among Fortune 1000 with just shy of 200 million cookies and fourth highest among FTSE with 1.79 million) and media (second highest among FTSE 100 with 5.7 million cookies and fourth highest among Fortune 1000 with 53.23 million).
Common password habits cross the geographical and cultural Divide
Despite the physical distance and their cultural differences, employees on both sides of the pond share the same bad password habits. Every year, we see the trend of rampant password reuse among Fortune 1000 and FTSE 100 employees, and this year was no different. We found a 62% password reuse rate among Fortune 1000 employees (a 2-point decrease from the previous year) and a 65% rate among FTSE 100 and subsidiary employees (a 1-point increase). This finding tells us that employee awareness and education efforts are not working across the board – and old habits die hard.
Another bad habit that is not going away is the use of “password” and “123456” as a password – they are the first and second most commonly used among Fortune 1000 employees and the second and third most common among their FTSE 100 counterparts.
Our final thoughts on corporate darknet exposure
Our fourth annual reports illustrate that identity exposure continues to grow and is made much worse by the newly prevailing tactic of using malware to exfiltrate users’ data and infiltrate organizations networks, systems and accounts – no matter the industry. This trend underscores the importance of post-infection remediation, a framework of additional steps enterprises can add to their incident response to reduce the risk of exposed employee and third-party identities. This goes beyond just wiping the device to better protect these valuable assets and information.
By taking proactive steps to negate the threat of malware infections, security teams can get ahead of the bad actors – and use the same information that cybercriminals have about the organization to turn the tide.
