SpyCloud reveals over 721 million passwords exposed on the internet in 2022
Whenever a company suffers a data breach, passwords are among the most frequently compromised pieces of information. Once the threat actors behind the attack acquire this data, they typically resell it on the dark web, where it can be purchased and utilized for identity and financial theft.
The 2023 Annual Identity Exposure Report by cybersecurity firm SpyCloud confirms this notion. According to the document, the company’s researchers uncovered 721.5 million exposed online credentials in 2022. Of this figure, 50% originated from botnets, networks composed of malware-infected computers controlled collectively by threat actors, who deploy information-stealing malware.
“Cybercriminals can use exposed credentials to gain illegitimate access to enterprise networks under the guise of employee and consumer accounts, opening the door for more cyberattacks such as the distribution of ransomware and malware, additional data theft, and synthetic identity creation,” states Trevor Hilligoss, Director of Security Research at SpyCloud. “If the credentials were freshly stolen via malware and remain active, they pose a long-term threat to corporations as criminals can use the same credentials to access accounts until the issue is identified and addressed.”
Worse yet, the study discovered that in 2022 data breach incidents, 72% of exposed users continued to reuse previously compromised passwords. Over 327,000 exposed passwords were associated with Taylor Swift and Bad Bunny, 261,000 with streaming services such as Netflix and Hulu, and more than 167,000 with the British Royal Family and the passing of Queen Elizabeth.
The research also found that in 2022, 8.6 billion personal identity assets were leaked, including 1.4 billion full names, 332 million national ID/complete Social Security numbers, and 67 million credit card numbers.
If your information is affected by a security vulnerability, it is worthwhile to change your password immediately. You may employ passphrases, which are strings of unrelated words or allow a password manager to generate a robust password for you. Enabling multi-factor authentication is also helpful, as it requires you to provide additional proof of identity when logging into your account. This can take the form of a one-time password, a physical key, or a fingerprint or facial scan. In this way, cybercriminals cannot infiltrate your account even if they have obtained your credentials.