The dark web is awash with stolen single sign-on credentials, including credentials belonging to half of the top 20 largest public companies, research from BitSight found. More than 25% of the entire S&P 500 have had stolen credentials appear online.
SSO credentials are in such demand that during the months of June and July, more than 1,500 stolen credentials from public companies were made available on the dark web. By contrast, 1,588 credentials were stolen from the entire period from January through May.
Stolen credentials have been a more frequent vector of attack in recent years, as a 2022 Verizon Data Breach Investigations report showed stolen credentials are responsible for nearly half of all cyberattacks, up from about 30% in 2017.
SSO has come into favor with major enterprises in recent years, as they allow corporate workers to sign on to multiple websites with a single set of credentials.
Single-sign on reduces the number of individual usernames and passwords needed by each employee. Steven Boyer, co-founder and CTO at BitSight, credits SSO with raising productivity and reducing wasted time, as workers have fewer passwords to remember and IT workers don't have to recover lost passwords.
At the same time, an increase in SSO credentials being sold on the Dark Web poses considerable risk for companies.
SSO credentials belong to trusted users inside of companies and, in the wrong hands, they provide threat actors the ability to access a wide range of company applications, depending on the level of privileges a worker has access to.
“SSO credentials on the dark web can be bought and sold like anything else,” Boyer said via email. “This means bad actors could purchase a company’s SSO credentials and then leverage these credentials to gain access to the company’s internal systems, accessing the systems like a trusted insider.”
The BitSight report noted single-sign on specialist Okta was the recent target of threat actors, and was hacked using a third-party vendor.
Okta CEO and Co-Founder Todd McKinnon has advocated for the elimination of passwords, saying they are no longer sufficient for authentication in the current threat environment. Customers need a range of multifactor authentication-based mechanisms, according to an Okta spokesperson.
”Additionally, combining risk-based authentication with authenticator choice can help improve security postures and reduce risk of breaches from especially sensitive applications,” the Okta spokesperson said via email.
BitSight recommends organizations use adaptive MFA to protect against single sign-on theft. This means MFA is required if suspicious behavior is detected based on time of day, location and other factors, according to Boyer.
Universal two-factor authentication can help. The technology uses physical keys to help authenticate the user. For example, if an attacker tries to get into a system using an attacker controlled site, universal two-factor should stop that attack.