Employee data leaks from most of world’s biggest firms—and UK tops list

Credentials discovered from workers at 97 percent of Forbes-ranked companies.

Tom Mendelsohn

The UK has proven particularly susceptible to data breaches involving compromised employee account data, according to new research.

Almost every single company ranked by Forbes in its 1,000 biggest in the world list is available to buy online, threat intelligence firm Digital Shadows has said.

E-mail and password combinations belonging to more than five million people working at 97 percent of the top 1,000 companies are apparently available, including around 300,000 stolen from adult dating sites like Ashley Madison, Adult Friend Finder, and Mate1.

Each company on the list in Britain has an average of over 9,000 leaked sets of employee credentials available, more than in the rest of Europe or North America.

In its report, Digital Shadows said that "in 2016, we have witnessed even yet more data breaches made public, including LinkedIn, MySpace, and Dropbox. Data breaches are no longer an aberration; they are the norm."

The LinkedIn data dump alone, it's understood, has put more than 1.6 million corporate accounts into the criminal ecosystem, while nearly 1.4 million Adobe accounts have been compromised, as well as 1.2 million which were attached to MySpace. Digital Shadows said:

It’s perhaps of little surprise that the breaches impacting the global 1,000 companies the most were LinkedIn and Adobe—both services that employees can be expected to sign up to with their work accounts. However, there were also less expected sources.

The high level of corporate credentials from MySpace, for example, should cause organisations to pause for thought. Worse still, gaming sites and dating sites also affected organisations. For Ashley Madison alone, there were more than 200,000 leaked credentials from the top 1,000 global companies.

It highlighted five ways in which compromised credentials are used by criminals.

First, companies' public-facing social media accounts can be taken over; criminals can use "spear-phishing," a technique which targets high-value senior executives using compromised internal accounts; credential stuffing can be used to gain access to other internal accounts for when employees use the same username/password combination for multiple applications; post-breach extortion can be used to blackmail users of sensitive or embarrassing sites like Ashley Madison; and breached datasets can be used to operate botnets, which then sends out spam or other malware.

The data is available to buy on the darknet, often reasonably cheaply. What's more, Digital Shadows found that less of it than expected turned out to be duplicated; only around 10 percent of breached credentials were found to be repeats.

"Simply put, too many people are putting their employer at risk by re-using workplace credentials, such as e-mail addresses and passwords, for their personal lives," Digital Shadows' research analyst Michael Marriott told Ars.

"In our sample of the world’s top 1,000 companies we found that, for companies headquartered in the UK, there are nearly half a million unique leaked credentials being traded by cybercriminals right now," he added.

"Many of these have leaked as a result of being used for clear 'non-work' purposes, such as dating and gaming sites. These compromised credentials hold significant value for cybercriminals and can be used for botnet spam lists, extortion attempts, spear-phishing, and account takeovers. It’s vital that firms get on the 'front foot' and gain cyber situational awareness to spot leaked credentials before it impacts on their business."