-
Security researchers have revealed 460,000 employee credentials from FTSE 100 companies have been compromised.
-
They also discovered some very surprising poor password habits. For example, people using “password” as their actual password.
-
Experts advise users to immediately adopt multi-factor authentication and implement ongoing leak monitoring.
A huge stash of corporate login details was just found online. These credentials belong to the UK’s top companies. The findings reveal a massive security problem. Even the biggest firms are at risk.
The Scale of the Exposure
The login details for nearly half a million corporate accounts belonging to Britain’s FTSE 100 firms have been put up for sale on the dark web, the hidden, intentionally concealed part of the internet often confused with the larger ‘deep web.’ (For a clear breakdown of this distinction, see our explainer: what is the deep web?) A new report from security firms Socura and Flare titled “FTSE 100 for Sale” uncovered this trove.
They found 460,000 compromised employee credentials. These were all from FTSE 100 company domains. Some companies were hit much harder than others. One firm had a staggering 45,000 leaked credentials. Fifteen companies each had over 10,000 exposed logins. The financial services sector was a major target. It had over 70,000 stolen credentials found.
This discovery shows that the dark web marketplace for stolen UK data is booming. It’s not just corporate logins; this follows a clear pattern of UK financial data being targeted, as we recently saw with 1,800 stolen bank cards found for sale in a separate dark web crisis.
A big part of the problem is infostealer malware. These programs secretly grab saved passwords from infected computers. The study found 28,000 corporate credentials in these “stealer logs.” That is about 280 per company.
But researchers warn this is just the beginning. These are only the credentials they could find publicly. A company might have many more passwords that are not yet public. They could be in private hands or already in use by attackers.
Shocking Password Habits
The report also highlights terrible password hygiene. This is a major issue even for well-resourced giants. Over half (59%) of the FTSE 100 firms have at least one employee using “password.”
Yes, you read that right. Someone at most of the UK’s top companies uses that weak password.
Password reuse was also very common. The report gives a perfect example. One employee had three variations of the same password in six different known leaks. The password was based on the TV actor “Ross Kemp.”
The danger does not stop with regular employees. The investigators also found CXO email addresses and passwords. These high-level executive credentials were shared on dark web sites like Doxbin. This puts entire companies at extreme risk.
Best Way to Secure Your Credentials
So, what do you do when stolen logins start showing up everywhere? Socura’s threat intelligence lead, Anne Heim, explained the criminal mindset. She said cybercriminals are opportunists. Most will not waste time hacking for credentials. They would rather just find or buy them online easily.
The solution requires a strong, layered defense. The report authors have a clear list of recommendations for all businesses.
Start with strong password rules. Take a page from the UK’s National Cyber Security Centre—use their advice. Push everyone to try password managers. Let people know why strong passwords matter. Seriously, most folks don’t realize how easy it is to break a weak one.
And don’t stop there—set up multi-factor authentication. It throws up another wall for hackers and keeps those phishing scams from working so easily. Make it tough for anyone trying to get in where they shouldn’t. Passkeys are a great modern option. This should be across all devices and services. MFA is a critical barrier, even if a password is stolen.
Companies should also use conditional access policies. These grant access based on factors like authentication strength. Check devices. See if they’re up to standard and figure out if anyone’s acting risky.
Don’t just wait around—keep an eye out for leaked credentials. Organizations must regularly check for their employees’ credentials in new data dumps. When found, they must reset those passwords immediately.
A clear Bring Your Own Device (BYOD) policy is also essential. It must require MFA for accessing any corporate services from a personal device.
Finally, robust detection controls are needed. These systems spot and flag suspicious behavior. This includes unusual logins and the presence of infostealer malware on a network.
