A new report from cybersecurity ratings company BitSight Technologies Inc. today finds that stolen single sign-on credentials from top companies are available for sale on the the shady corner of the internet called the dark web.

SSO credentials allow users to securely log in with a single ID across multiple applications and websites. Once they’re signed into the SSO, an access token is sent to the application granting the users access. If the users aren’t currently signed in, they’re prompted to sign into the SSO to gain access.

The use of SSO has become widely popular with many organizations, since fewer credentials mean fewer phishing targets, fewer password reset requests and less login time, meaning employees have more time to work on business-critical tasks.

Conversely, stolen single sign-ons, whether stolen directly from an organization or third-party suppliers, open the door for cyber attackers to cause harm to an organization. A well-known example of this is the breach of Okta Inc. in March that then led to the breaching of companies using Okta for SSO.

But just how widespread is the problem of stolen SSOs? The BitSight researchers dug into listings on the dark web and found that 25% of the S&P 500 and half of the top 20 most valuable public U.S. companies have SSO credentials listed for sale. More than 1,500 new SSO credentials were also found to become available in June and July alone.

Emphasizing just how big the companies are, the affected companies represent $11 trillion in market value, roughly the equivalent to the combined economies of Germany, India, the U.K. and France. Public companies from all sectors and industries have compromised SSO credentials for sale, with companies in technology, manufacturing, retail, finance, energy and business services the most affected.

The researchers recommend that organizations should take proactive steps to protect themselves from the threat of stolen SSOs.

They also noted that phishing is a popular method to steal SSO credentials even when multifactor authentication is enabled, so organizations should implement adaptive MFA that considers geolocation, day and time, and suspicious activity. Universal 2FA should include an origin-bound physical key to cause authentication to fail on fake sites.

Organizations are also recommended to implement a least-privilege strategy that limits who can access critical systems so an attack using a compromised account can do less damage. Implementing a least-privileged strategy is as easy as restricting the number of applications the average employee can access to only those necessary for their job.

The last recommendation and one with no surprise given that it’s a common issue, is to understand the security posture of vendors to ensure they’re adequately protecting their systems and hence the organization that has contracted them. Third-party suppliers should be analyzed prior to entering a business relationship and continuously monitored after the relationship begins.

Image: BitSight