SpyCloud 2020 Credential Exposure Report: Over 9 Billion Email and Password Combos Recovered from Cybercriminals
Weak passwords, unsecured servers and sophisticated cybercrime tools help criminals nearly triple data resources used for account takeover and fraud
11 Feb, 2020, 08:00 ET
AUSTIN, Texas, Feb. 11, 2020 /PRNewswire/ -- SpyCloud, the leader in account takeover (ATO) prevention, today released its 2020 Credential Exposure Report, which tallies the extent of personal data stolen in the last year, identifies individual and organizational security trends that lead to breaches, and tracks the evolution of cybercriminal tactics.
The 9,050,064,764 credentials SpyCloud recovered throughout 2019 came from a total of 640 unique data breaches and include email addresses connected to plaintext passwords and usernames with plaintext passwords. That means, on average, each of these data breaches gave criminals more than 14 million sets of login credentials. Because people often reuse passwords across several accounts, both personal and for work, each set of login credentials could be used to access dozens or more accounts through which cybercriminals can perpetrate fraud.
"As the world celebrates Safer Internet Day, we want to remind every internet user that monitoring your online credentials for exposure, never reusing passwords, and opting in for multi-factor authentication are the best ways to protect yourself from cybercrime," said Ted Ross, CEO and co-founder of SpyCloud.
The SpyCloud research team identified that almost a third of internet users affected by data breaches last year had reused a password in some form. 94% of those who recycled passwords reused the exact same password, while the other 6% made minor changes such as capitalizing the first letter or adding numbers to the end of their typical password. These tactics are easily defeated by sophisticated crimeware tools, which test for common, slight variations.
In terms of organizational security, SpyCloud researchers noted a worrying trend: more of the data criminals are sharing and selling came from breaches of misconfigured or unsecured servers. Organizations may also be taking incomplete steps to protect passwords. The researchers found that more than half (53.7%) of the plaintext passwords recovered were originally protected using the outdated hashing algorithms SHA-1 and MD5. Security professionals have recommended against using SHA-1 since about 2005, and against using MD5 since as far back as 1996, because cybercriminals can easily and quickly crack passwords hashed with these functions and recover plaintext passwords.
"Our data shows that consumers are still not changing their poor password habits, yet we know they're holding organizations accountable for their security," said David Endler, co-founder and chief product officer for SpyCloud. "Criminals are still using passwords they stole in 2012 to attack and take over accounts today. Companies need to guide users to set better passwords at the time of account creation and help users maintain strong, uncompromised passwords whenever their credentials are exposed in a breach anywhere in the world."
Despite the problem of password fatigue and reuse coming into clearer focus over the past few years, little has changed in the world's most popular passwords. Among the more than 9 billion SpyCloud collected last year, the top three are "123456," "123456789," and "qwerty," and are being used to protect some 125 million accounts. It is increasingly up to organizations to comply with NIST's password guidelines (NIST Special Publication 800-63B), which recommend checking user passwords for those that have been exposed in previous breach corpuses, as well as commonly used or easy-to-guess passwords.
To read the full report on all the personally identifiable information exposed on the cybercriminal underground last year, visit the SpyCloud blog. SpyCloud's full report also includes information on the cybercriminal tactics, techniques and procedures that lead to data breaches, and an interactive map showing the most commonly used passwords by country.
See your real-time breach exposure details for free, powered by SpyCloud data, at spycloud.com.
SpyCloud is the leader in account takeover (ATO) prevention, protecting billions of consumer and employee accounts either directly or through product integrations. Our award-winning solutions proactively defeat fraud attempts and disrupt the criminals' ability to profit from stolen information. Learn more and check your exposure at spycloud.com.
Share this article