Top 500 UK Legal Firms Have More Than 1 Million Credentials Exposed Online
A white paper was released today by UK based private cyber intelligence company, RepKnight. The document is an analysis of dark web footprints of domains belonging to the top 500 law firms in the UK, using their “BreachAlert” platform. The analysis found the details of more than 1 million hacked leaked or stolen credentials being circulated online, an average of 2,000 email addresses per firm.
Pretty crazy numbers. The article does state that the vast majority of the credentials were exposed through “third party breaches” – meaning a data breach from another website or system unconnected to the law firm. I’m surprised more companies, especially law firms don’t have some sort of policy about using a work email for personal things.
With many law firms publishing contact email addresses for their partners and staff on their website, it’s relatively easy for spammers and cybercriminals to get an email address. Every exposed email address puts that member of staff at significant risk of phishing attacks and impersonation attempts, as well as the constant plague of spam and malware. However, almost 800,000 of the 1M+ breached credentials we found also contained passwords. These are often visible as plaintext, or hashed values which are easily cracked online.