Cybersecurity companies exposed on the Dark Web

97 percent of major cybersecurity companies have had potentially sensitive data compromised and made available on the dark web, according to a recent report.

In its report State of Cybersecurity Industry Exposure at Dark Web, application security vendor Immuniweb found that among the 398 largest cybersecurity firms in the world, nearly all were associated with leaked or compromised data available on dark web resources. These resources included hacking forums, underground marketplaces, public code repositories, and social networks. Half of the exposed data contained personally identifiable information and corporate data and 30 percent contained login credentials.

Immuniweb researchers also found poor password security and basic data hygiene practices. Twenty-nine percent of the compromised passwords were weak, with “password” being the most common, closely followed by “123456.” Sixty-three percent of the cybersecurity websites were also found to not be PCI compliant (a set of security standards established by the payment card industry), and 48 percent were not in compliance with the European Union’s GPDR.

While many of the exposed records were likely the result of subpar internal security practices, many of them could be traced back to third-party data breaches.

“A large number of stolen credentials with plaintext passwords likewise come from incidents involving unrelated third parties including dating or even adult-oriented websites where victims were using their professional email addresses to sign in,” stated the report, also noting that over 5,000 stolen credentials were found on pornographic and adult websites.

While the findings of the report paint a somewhat bleak picture of the state of cybersecurity, the report concluded that cybersecurity companies were relatively well positioned compared to other industries, owing to “generous venture funding and access to internal talens to tackle security and compliance.” 

“[T]hird parties, ranging from law firms to IT companies, usually lack internal expertise and budget required to react quickly to the growing spectrum of targeted attacks and APTs. Eventually, they become low-hanging fruit for pragmatic attackers who also enjoy virtual impunity,” the report concluded.