Email credentials from UK’s top law firms are for sale on the dark web
CREDENTIALS BELONGING to more than one million staff at the UK’s top law firms have been found for sale on the dark web.
So says security software company RepKnight, which claims that the cache of compromised credentials includes 30,000 from the UK’s largest law firm and nearly 80,000 from companies in the legal sector’s so-called ‘magic circle’.
However, many of these credentials may not have been purloined directly from the law firms, but from third-party security breaches, such as the high-profile Linkedin and Dropbox breaches.
“Almost all of the credentials were from third-party breaches, where a corporate email address had been used on a site like LinkedIn or Dropbox, and that site was subsequently compromised. Worryingly, 80 per cent of these email addresses featured in breaches which also contained passwords – often in plaintext,” the company warned.
“Cybercriminals could potentially use these password to gain access to other private data, like employees’ online banking or social media, via ‘credential stuffing’ or spear phishing attacks, because more than 80 per cent of people tend to re-use their password.”
The company claimed that it used one of its own proprietary monitoring tools, called BreachAlert, to uncover the exposed emails.
“The data we found represents the easiest data to find- we just searched on the corporate email domain. A far bigger issue for law firms is data breaches of highly sensitive information about client cases, customer contact information, or employee personal info such as home addresses, medical record and HR files,” said RepKnight cybersecurity analyst Patrick Martin.
The company, not surprisingly, suggested that every organisation should adopt dark web scanning tools as a means of identifying risks. Two-factor authentication, especially for employees in sensitive roles, ought also be considered.
Law firms are routinely targeted by scammers because they handle money, such as transfers during property sales and purchases. There have been a series of scams involving attackers either compromising either the lawyer or their client in order to persuade one of the parties to transfer large sums of money to accounts controlled by the attackers.
While insecure, email is typically the preferred method of contact for lawyers communicating with clients, despite being urged to send important correspondence by post, rather than email. µ