Overview
Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.
The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.
The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.
Leaked Security Company Credentials
Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.
Cyble looked at a number of security companies and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.
Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.
Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.
Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.
The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls.
All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.
One of the largest security vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for several sensitive accounts, including developer and product account interfaces and customer data. Depending on the privileges granted to those accounts, the exposure could be substantial.
Credential Leaks Could Aid in Hacker Reconnaissance
Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit.
Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information.
Conclusion: Dark Web Monitoring is Critical for Everyone
Dark web monitoring is an underappreciated and cost-effective security tool for one very big reason: Credential leaks frequently come before much bigger security incidents like data breaches and ransomware attacks.
Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization’s systems and how to access them.
If the largest security vendors can be hit by info-stokers, so can any organization. Basic cybersecurity practices like MFA, zero trust, vulnerability management, and network segmentation are important for minimizing—and ideally preventing—data breaches, ransomware, and other cyberattacks.
Update 1:18 a.m. UTC January 23, 2025: The decision was made to redact the affected vendor names to preserve confidentiality.
Clarification: On January 22, 2025, we posted a blog entitled “Cyble Finds Thousands of Security Vendor Credentials on Dark Web” listing a number of security companies who were believed to have had their associated credentials exposed since the start of the year due to infostealer malware. As a standard practice, we do not validate or authenticate the credentials. Moreover, the aforesaid blog was in relation to credential exposure from user’s devices and not any breach or exposure of data suffered by the security companies referenced in the original blog. Indeed, LogRhythm and Exabeam conveyed to Cyble that they have not been involved in a breach. Again, that is not what the blog conveyed, and it should not be interpreted to imply that LogRhythm or Exabeam experienced a security failure or unauthorized disclosure of sensitive data from their platforms. Accordingly, it is clarified in relation to the blog entitled “Cyble Finds Thousands of Security Vendor Credentials on Dark Web” published on January 22, 2025, that Exabeam and LogRhythm have not been involved in a data breach and we do not have evidence that they experienced a security failure that led to leaked credentials from their platforms. Moreover, to reiterate what we stated in the prior blog post, Cyble did not verify if any of the potentially leaked credentials discovered on the dark web were valid.
