- Digital footprint monitoring company Flare analyzed 19.6 million infostealer logs, which revealed that approximately 400,000 compromised corporate credentials.
- Credentials belong to professionals with AWS, Google Cloud Platform, Salesforce, Hubspot, and other accounts.
- The company also discovered over 200,000 OpenAI account credentials, twice as many that Group-IB discovered last month.
Approximately 400,000 corporate credentials are up for sale on darknet forums and Telegram channels. Digital footprint monitoring company Flare analyzed 19.6 million infostealer logs, which revealed that 1.91% contain credentials for business applications.
These include AWS, Google Cloud Platform, Salesforce, and Hubspot, as well as those with Okta and DocuSign in their domains. Most of these corporate credentials are available for sale on Russian Market and VIP Telegram channels.
Infostealers typically target web browsers, email clients, operating system data, ISP information, cryptocurrency wallet credentials, and other sensitive files.
The breakdown of credentials as provided by Flare in its Stealer Logs and Corporate Access report is as follows: 179,000 credentials for AWS Console, 42,738 for Hubspot, 2,300 credentials for Google Cloud, 23,000 Salesforce credentials, 66,000 for CRM, 64,500 for DocuSign, and 15,500 QuickBooks credentials, while 48,000 logs contain access to domains with okta.com.
Additionally, Flare discovered 205,447 stealer logs that contain credentials for OpenAI accounts. “ChatGPT can be particularly high-risk since conversations are saved by default, potentially exposing sensitive corporate intellectual property and other data should the account be compromised,†Flare noted.
It is unclear if any of these OpenAI credentials overlap with the 101,134 logs (containing 26,802 compromised ChatGPT accounts) identified by Group-IB in June 2023.
“This analysis emphasizes the growing risk of sensitive corporate data being stolen in enterprise breaches through the use of information-stealing malware,†Tomer Bar, VP of Security Research at SafeBreach, told Spiceworks.
“Remote working has become more common, and since enterprises usually allow their employees to have remote access to the enterprise’s assets with only a single sign-on to proceed, an exfiltration of Okta credentials may be the beginning of a complete breach.â€
Flare explained that corporate credentials are categorized under tier 1 logs owing to the access it imparts: corporate IT environments and business applications. Banking and financial services credentials come under tier 2 logs, while tier 3 logs include credentials for consumer applications such as VPNs, streaming platforms, etc.
While tier 1 logs are typically sold on private Telegram channels and Russian Market, tier 2 logs are available mainly on Genesis Market and tier 3 logs on public Telegram channels.
Proportion of Stealer Logs Containing Corporate Access vs. the Proportion of All of Flare’s Stealer Logs
Source: Flare
See More: AI Cracker Can Guess Over Half of Common Passwords in 60 Seconds
Erich Kron, Security Awareness Advocate at KnowBe4, told Spiceworks, “Having legitimate credentials is extremely valuable for bad actors, as it can help them stay below the radar when more traditional attacks such as brute-forcing could draw attention. Cybercriminals know that credentials used in one place are also very likely to be reused with other web services or platforms.â€
“This reuse of passwords can be a significant issue that people often underestimate the impact of, but it leads to the practice of credential stuffing, where a known good username and password are tried on multiple websites, using tools that are free or extremely inexpensive and leading to the compromise of email accounts, retail shopping accounts, and bank accounts among others, and has been responsible for hundreds of thousands of account takeover compromises this year alone.â€
Google, Facebook, Microsoft, Amazon, Netflix, Roblox, Instagram, Steam, Twitch, PayPal, Epic Games, Spotify, LinkedIn, Apple, Zoom, and Blizzard Entertainment own some of the top domains that appeared in the stealer log sample.
The following table showcases the domains and the corresponding percentage of logs that they appear in:
Company |
Domain |
Percentage of Logs the Domain Appears In |
|
gmail.com
accounts.google.com google.com |
46.59%
42.05% 43.01% |
facebook.com
www.facebook.com m.facebook.com |
35.63% 21.79% 16.92% |
|
Microsoft |
live.com
login.live.com signup.live.com account.live.com hotmail.com outlook.com microsoftonline.com login.microsoftonline.com |
34.14%
30.31% 10.98% 9.45% 13.77% 6.19% 10.36% 10.20% |
Amazon | amazon.com
www.amazon.com |
13.74% 9.64% |
Netflix |
netflix.com
www.netflix.com com.netflix.android |
17.13%
12% 7.42% |
Roblox | roblox.com
www.roblox.com |
15.17% 11.46% |
|
instagram.com
www.instagram.com instagram.android com.instagram.android |
17.94%
12.42% 7.62% 7.62% |
Steam | steamPowered.com
store.steampowered.com help.steampowered.com |
13% 9.7% 7.45% |
Twitch |
twitch.tv
www.twitch.tv |
12.47%
9.01% |
PayPal | paypal.com
www.paypal.com |
12.1% 9.18% |
Epic Games |
epicgames.com
www.epicgames.com |
10.32%
7.01% |
Spotify | spotify.com
accounts.spotify.com |
9.11% 6.73% |
|
linkedin.com | 8.97% |
Apple | apple.com
idmsa.apple.com |
8.71% 6.68% |
Zoom |
zoom.us | 7.09% |
Blizzard Entertainment | battle.net |
6.03% |
“We agree with the recommendation in the analysis and would like to add that continuous security validation should also be done on all laptop and remote devices,†Bar added.
Kron cited the importance of multifactor authentication (MFA) to thwart threats arising from stolen passwords. “Using MFA and educating users about the threat that password reuse poses can go a long way toward thwarting the issues related to the stolen or reused passwords that are causing so many issues,†Kron said.
“Ensuring that users can spot and report phishing emails, a very common way to trick people into giving up their credentials, is also an inexpensive and effective way to mitigate this threat.â€
How else can corporates and individuals maintain password security? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
Image source: Shutterstock