SSO Credentials of 25% of Most Valuable Companies are on Sale on the Dark Web

The cybersecurity assessment and rating company observed the availability of SSO credentials is spiraling in 2022.

September 21, 2022

According to a new report from BitSight Technologies, at least one single sign-on (SSO) credential of as much as half of the top 20 most valuable companies in the U.S. are available for sale on the dark web. Additionally, 25% of the S&P 500 companies have at least one user whose SSO credential is up for grabs.

SSOOpens a new window is an essential part of enterprises and any organization whose employees need to reduce password fatigue, enhance IT administration, and securely access multiple applications from one dashboard. BitSight noted SSO also reduces phishing and can increase productivity. The flip side is that a single compromised SSO password threatens the entire security fabric of organizations.

So the fact that BitSight discovered credentials belonging to 25% of the largest companies in the U.S., representing $11 trillion in market value, on sale on the dark web raises some serious concerns. The total number of public companies whose SSO credentials are on sale is just under 350.

The cybersecurity assessment and rating company observed the availability of SSO credentials is spiraling in 2022. The number of SSO credentials of public companies broke the 3000 mark in July 2022.

New Cumulative SSO Credentials on Sale on Dark Web

New Cumulative SSO Credentials on Sale on Dark Web | Source: BitSightOpens a new window

See More: 24B Credentials Are Up for Grabs on Darkweb MarketplacesOpens a new window

More than 1,500 of these new SSO credentials were put up for sale in June and July. The number is set to increase in August, considering the impact of the 0ktapus phishing campaignOpens a new window that compromised 9,931 login credentials and over 5,000 multi-factor authentication (MFA) codes from 136 companies, including Twilio, Cloudflare, and Mailchimp.

New SSO Credentials Listed For Sale According to Months in 2022

New SSO Credentials Listed For Sale According to Months in 2022 | Source: BitSight

Stephen Boyer, BitSight co-founder and CTO, said, “Credentials can be relatively trivial to steal from organizations, and many organizations are unaware of the critical threats that can arise specifically from stolen SSO credentials. These findings should raise awareness and motivate prompt action to become better acquainted with these threats.” 

Under the 0ktapus campaign, the threat actors impersonated Okta’s identity and access management service. However, the threat can also come from vendors, as was the case when Okta was breached in January 2022 (but disclosed two months later in March after its attacker Lapsus$ cyber extortion group released screenshots) through one of its vendors, Sitel.

BitSight discovered that organizations in the technology sector are the most affected, followed by manufacturing, finance, energy, business services, transportation, healthcare, consumer goods, and media and entertainment.

BitSight suggested the following to protect credentials:

  • Leverage adaptive MFA, which is based on geolocation, day and time to identify suspicious activity or Universal two-factor (U2F) authentication, which employs an origin-bound physical key and stops authentication on fake sites. Simple MFA can be bypassed, as demonstrated by a recent AiTM phishing campaign.
  • Adopt the principle of least privilege, i.e., limit the number of apps that employees can access to only those they need.
  • Third-party/vendor risk managementOpens a new window by assessing their cybersecurity posture, deploying continuous monitoring and keeping track of the data being shared with them and whether it is sensitive.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON CREDENTIAL SECURITY

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.