Summary:
Cyble Threat Intelligence has discovered thousands of account credentials belonging to some major cybersecurity vendors on the dark web. Cyble researchers shared their findings on January 22nd, 2025, noting they found credentials for at least 14 security providers. These credentials are available on the marketplace for as low as $10 and are comprised of various accounts ranging from internal accounts to customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks. Leaked credentials have an inherent value based on the time since they were stolen, the older they are, the more stale and potentially useless they become. This report only presents discovered credentials that were leaked since the beginning of 2025. Cyble looked at 13 of the largest enterprise security vendors and some large consumer security vendors and found credentials for all of them on the dark web, likely harvested utilizing infostealer logs. Although most of the credentials resemble customer credentials that protect access to sensitive management and account interfaces, all 13 vendors had credential access to internal systems leaked as well. Some of the credentials appeared to be access to critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom. These credentials leaked in 2025 also appeared to provide access to password managers, authentication systems, and device management platforms. All vendors mentioned in Cyble’s report have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.

Security Officer Comments:
The growing issue of the Malware-as-a-Service information stealer business models has resulted in an influx of account credentials on the dark web. Although Cyble did not attempt to determine whether any of the credentials were valid, CrowdStrike has had more than 300 credentials exposed since the start of the year. However, some of those may be duplicates offered for sale across multiple forums. Most of them appear to be customer Falcon account credentials, likely harvested on customer endpoints. Despite that, ideally, most of these leaked credentials from these vendors are protected by multifactor authentication (MFA), these exposed accounts are concerning, as they provide threat actors with an avenue to conduct reconnaissance by verifying what systems the target organization or individual uses. Threat actors can then search for vulnerabilities in those systems. Basic cybersecurity practices like MFA, zero trust, vulnerability management, and network segmentation are paramount for minimizing and preventing cyberattacks. Implementing dark web monitoring tools is an integral part of developing a proactive security posture.

Suggested Corrections:

• Multi-Factor Authentication (MFA): Significantly reduces the risk of unauthorized access, even if passwords are compromised.
• Zero Trust: Limits the impact of a successful breach by containing the attacker's movement within the network and enhances overall security posture by enforcing strict access controls and continuous monitoring.
• Vulnerability Management: Proactively addresses security flaws before they can be exploited by attackers and Reduces the attack surface and minimizes the risk of successful cyberattacks.
• Network Segmentation: Improves the organization's ability to contain and respond to security incidents and Reduces the overall risk of a successful attack and minimizes potential damage.

Link(s):
https://www.infosecurity-magazine.com/news/cybersecurity-vendors-credentials/

https://cyble.com/blog/thousands-of-security-vendor-credentials-found-on-dark-web/