Report: 25% of S&P 500 have SSO credentials exposed on dark web

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

Single sign-on (SSO) credentials are considered “the keys to the kingdom” by cybersecurity professionals. Employees access many applications by logging in once with these credentials, and they’re the last thing an organization wants stolen or for sale on the dark web. If malicious actors obtain your organization’s SSO credentials, they could access your systems and data like a trusted insider, including payroll, contracts, intellectual property, and more.

In short, a malicious actor can inflict significant damage upon an organization by obtaining its SSO credentials. 

Unfortunately, even the world’s largest and most important companies are struggling to secure these critical assets. Scouring the dark web for critical SSO credentials associated with 3,000 publicly traded companies, BitSight found that 25% of the S&P 500 and half of the top 20 most valuable public U.S. companies have had at least one SSO credential for sale on the dark web in 2022.

These affected companies — representing $11 trillion in value — may be at risk, along with their global customer bases.


MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

Technology sector most affected

BitSight also identified the technology sector as being most impacted. This is particularly concerning given recent events — bad actors are increasingly breaching technology companies as a means of breaching broad customer bases.

“Businesses need to be aware of the risks posed by their major IT vendors. As we’ve seen repeatedly, insecure vendor credentials can provide malicious actors with the access they need to target large customer bases at scale. The impact of a single exposed SSO credential could be far reaching,” said BitSight Cofounder and CTO Stephen Boyer.

Image source: BitSight.

Popularized cybersecurity controls are no longer enough — organizations with strong security controls in place are still getting breached. BitSight recommends organizations up their game by deploying more dynamic and robust security measures such as dynamic MFA, universal two-factor authentication (U2F), and a host of other controls such as implementing least privilege and third-party risk management. 

BitSight’s research alerts the global business community to the critical threat of SSO credential theft. The reality is that even with a heightened state of security among public companies, SSO credentials are still being stolen and sold on the dark web at staggering rates.


BitSight analyzed the security posture of three thousand publicly traded companies to understand how the world’s most valuable and best-resourced companies are protecting their critical SSO credentials.

Read the full report from BitSight.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Source link

Shadowy Russian Cell Phone Companies Are Cropping Up in Ukraine Previous post Shadowy Russian Cell Phone Companies Are Cropping Up in Ukraine
Accessibility improvements in Windows 11 and iOS 16 show promise for the future Next post Accessibility improvements in Windows 11 and iOS 16 show promise for the future