A staggering 97 percent of the 1,000 largest companies in the Forbes Global 2000 list are at risk of attacks involving the use of stolen credentials belonging to their employees.
Security vendor Digital Shadows recently analysed stolen credentials dumped online on paste sites, underground forums, and criminal sites from a total of 30,000 disclosed breaches spanning the period between April 2014 and June 2016.
The company cross-checked the stolen credentials against the domains of the 1,000 enterprises and any of their identifiable subsidiaries. In total, Digital Shadows checked 19,362 domains against the stolen credentials and found approximately five million unique email and password combinations from across the 1,000 organizations and their subsidiaries.
The leaked credentials give threat actors a way to target organizations and take over accounts, launch spear-phishing attacks, and to employ credential-stuffing tactics to break into an enterprise network, Digital Shadows said. Other risks involve post-breach extortion attempts and the possibility for threat actors to create botnets with the leaked data.
Companies in the entertainment and technology sectors are far more exposed to credential-based attacks than organizations in almost any other sector. The average number of leaked credentials per company in the entertainment sector was a massive 37,399, while the average for technology companies was 25,806. Healthcare and pharmaceutical companies occupied the number three spot with an average of 3,453 stolen employee email and password combinations available publicly.
Real estate companies, with an average of 395 leaked credentials, fared best among the 12 sectors in the Digital Shadows report.
Digital Shadows found that organisations based in Africa, the US, and United Kingdom are substantially more exposed to leaked credentials than counterparts in, Asia, South America, the Middle East, and to a certain extent, Europe.