Some 16 million passwords have been added to “dark web” sites over the last 12 months, according to a report published by cybersecurity firm ImmuniWeb.

The passwords, many of which had been obtained off the back of a 50% increase in data breaches in the first quarter of 2019, came via a stunning 4 billion compromised records in more than 4,000 data breaches. The dark web is a shady part of the internet reachable with special software.

Using its own in-house technology, ImmuniWeb discovered over 21 million credentials belonging to Fortune 500 companies, with 16 million dating to the last 12 months. The most popular sources for the data breaches were found to be third parties — websites and other resources unrelated to the organizations themselves — followed by trust third-parties, partners, suppliers and vendors to Fortune 500 companies.

Despite years of news about data breaches and education campaigns about the need for strong passwords, the report found that basic, guessable passwords such as “12345678,” “abc123” and even “password” still remain widely used. Of the full 21 million records analyzed, the report found only 4.9 million unique passwords.

“This is an interesting glimpse into the inner workings of underground criminal hacking markets,” Craig Young, computer security researcher for security firm Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE. “It illustrates just how easy it can be for an adversary to obtain a foothold into a target organization.”

Some criminal hackers are very good at spear-fishing or breaching random websites, but may have little ability to directly monetize the information, Young explained. “Others may specialize in escalating access within an organization but have little capability in the way of initially obtaining access,” he said. “Underground markets typically hosted on TOR allow these threat actors to collaborate with relative anonymity.”

Jarrod Overson, director of engineering at cybersecurity company Shape Security Inc., noted that credential-stuffing is one of the most common types of attacks because it’s cheap and it works. It refers to a brute-force attack in which passwords from a previous data breach are used to try to log in to other services.

“Successful credential-stuffing attacks provide criminals with accounts they can then use to defraud individuals and companies,” Overson said. “Attackers monetize everything from store credit, to loyalty points, to prescription drug refills.”

Users can protect themselves by never reusing passwords and turning on two-factor authentication whenever possible, Overson added. Also, password managers such as 1Password can help users easily manage hundreds of unique passwords across devices.

Image: Pixabay