Please fill in the form below to subscribe to our blog

Are Your Passwords for Sale in Dark Web Markets?

April 30, 2021

Booming Dark Web Markets Are Well Stocked with Passwords for Sale


The perennial problem of password reuse risk is becoming more dangerous and the trail of that increased threat can be traced right back to the dark web. While the world economy may still be experiencing challenges, the dark web economy is running on all cylinders and the data markets are full of eager buyers. About 60% of the data that was already on the dark web at the start of 2020 could harm businesses. Then that generous pool of passwords for sale in dark web markets was augmented by an estimated 22 billion new records that landed in dark web data markets and dumps in 2020. This influx of data gave cybercriminals plenty of new fuel to use in password-based cyberattacks – and they didn’t waste any time making the most of those new resources in 2021. 


Which of your vendors will cause your next cyberattack? Read our new eBook to learn how to spot and stop third party risk. GET THIS BOOK >>


It’s Not Just Employee Passwords for Sale in Dark Web Markets


In a recent survey of Fortune 1000 companies, researchers discovered a hefty chunk of exposed data including passwords for 25.9 million Fortune 1000 business accounts. Taking a deeper look, investigators also found an estimated 543 million employee credentials for Fortune 1000 companies circulating on commonly used underground hacking forums, a 29% increase from 2020. An astonishing 25,927,476 passwords that belong to employees at Fortune 1000 companies were available readily in dark web markets and data dumps. That translates into an estimated 25,927 exposed passwords per company, marking a 12% increase from 2020 and indicating an elevated risk for cyberattacks and hacking for those companies.  

Even more worrisome is that credentials for about 133,927 C-level Fortune 1000 executives were also available in the markets. These accounts are especially prized for their elevated user privileges in company systems as well as their credibility when conducting business email compromise schemes. Unless the affected companies are using secure identity and access management tools, just one privileged password in the hands of cybercriminals can open a business up for a cascade of expensive, damaging security nightmares.  Altogether, researchers estimate that a total of 76% of employees and executives at the world’s largest companies are still reusing passwords across personal and professional accounts.  

Over 281 million records of personally identifiable information (PII) for employees of Fortune 1000 companies were available, making it easy for bad actors to conduct impersonation and fraud operations as well as answer the “secret questions” that are so popular in many applications. Researchers also noted a pattern — a 60% password reuse rate among email addresses in surveyed databases exposed in more than one breach in 2020.  


phishing email imitating famous brands dangers represented by a cartoon hacker in a hoodie at a laptop with an eye mask on done in shades of blue, Batman style.

Is Your Password a Zero or a Hero? Learn the difference and how you can strengthen yours in Build Better Passwords. GET IT>>


Low Standards and Lax Policies Create Danger


No industry is immune to the powerful lure of password recycling and iteration, especially in the era of remote and hybrid work making passwords more insecure than ever. Even though the danger is well-known to IT professionals, about 60% of respondents in a recent IT professional survey indicated their organization had experienced a password recycling/reuse/iteration-related security breach in the past year alone. The telecommunications sector had the highest average number of leaked employee credentials at 552,601 per company. The media industry had the highest password reuse rates at 85%, followed by household products (82%), hotels, restaurants & leisure (80%), and healthcare (79%). Media professionals also frequently used explicit phrases as passwords.

Many companies aren’t even bothering to enforce any standards at all. Researchers also found rampant password iteration like “password” becoming “password1” or “passw0rd.” Commonly used passwords appeared thousands of times in dark web datasets: “123456” appeared 75,287 times, while “password” and “aaron431” showed up 61,762 and 36,775 times, respectively. The use of weak passwords, such as “123456” and “password” was rampant among top Fortune 1000 companies. Media professionals also frequently used explicit phrases as passwords.


Don’t let cybercriminals put the brakes on your client’s race to success. Boost your cyber resilience to keep your engine running in any conditions. LEARN MORE>>


Mitigate This Risk Quickly and Cheaply


Although password reuse and recycling is a common foe for cybersecurity teams, mitigating that risk is both simple and affordable with two smart solutions that maximize security and minimize cost. 

SHORT TERM: Secure Systems and Data with Passly 

Immediately adopt multifactor authentication (MFA) to stop password reuse and recycling from having the power to cause a devastating cyberattack — MFA alone stops 99% of password-based cybercrime in its tracks. But when you choose Passly, you’re not just getting multifactor authentication, you’re also getting single sign-on, secure shared password vaults, automated password resets and other important security tools – saving you the cost of multiple solutions. Passly goes above and beyond in offering businesses both functionality and value. SEE PASSLY IN ACTION>>

LONG TERM: Find and Fix Credential Vulnerabilities with Dark Web ID 

Dark Web ID is the secret to continuous protection from dark web password reuse risk. Dark Web ID watches every corner of the dark web, including more than 640,000 botnets, hidden chat rooms, unindexed sites, private websites, peer-to-peer (P2P) networks, internet relay chat (IRC) channels, social media platforms, black market sites, hacker forums and all of the places that cybercriminals do business 24/7/365 to alert companies to credential compromise danger. SEE DARK WEB ID IN ACTION>>

Get your defenses ready for a new onslaught of password-related cybercrime risk. Contact our solutions experts today for a personalized demo to see how the ID Agent Risk Protection Platform can benefit your business.  


dark web economy represented by the words dark web in white on a black background blurred like a faint tv transmission

Explore the dark web with experts & get a deck of screenshots in Unveiling Cybercrime Markets on the Dark Web. WATCH NOW>>