Account credentials from some of the biggest cybersecurity vendors can be purchased on dark web marketplaces, according to a Cyble report published today.
While most of the security credentials Cyble found were for customers of those vendors – likely captured by infostealers that infected customer devices – there were also an alarming number of leaked account credentials from the security vendors themselves for sensitive internal accounts for enterprise, development and security systems.
The accounts ideally should have been protected by multifactor authentication (MFA), which would have made exploiting the credentials more difficult, but Cyble noted that the leaked credentials show the importance of dark web monitoring services and dark web monitoring as a defense against much bigger cyberattacks like data breaches and ransomware attacks
Security Company Credentials Can Be Bought for $10
The credentials could be bought for as little as $10 in cybercrime marketplaces, Cyble said, noting that they were likely harvested from infostealer logs and then sold in bulk on dark web marketplaces.
Cyble looked only at credentials leaked since the start of the year, as older passwords are more likely to have changed. Of the 14 cybersecurity vendors Cyble examined, each had both customer and internal credentials leaked on the dark web thus far in 2025.
The vendors mainly offer enterprise and cloud security tools and services, but some consumer security vendors were included too. Cyble did not publish the names at the request of vendors.
Most of the credentials found by Cyble appeared to be customer credentials that protect access to security management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web too.
Security vendor credentials found by Cyble included some for sensitive internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle and Zoom, plus other password managers, authentication systems and device management platforms.
Cyble said it didn’t test to see if the credentials were valid, but noted that many were for “easily accessible web console interfaces, SSO logins and other web-facing account access points.”
One of the largest vendors Cyble looked at appeared to have sensitive internal company accounts exposed, with company email addresses “listed among the credentials for a number of sensitive accounts, including developer and product account interfaces and customer data.”
“Depending on the privileges granted to those accounts, the exposure could be substantial,” Cyble noted.
Dark Web Credential Leaks a Boon for Hackers
Besides the obvious hacking potential, Cyble noted that exposed accounts could also help threat actors conduct reconnaissance “by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit. Other sensitive information exposed by infostealers could include URLs of management interfaces that are unknown to the public, giving further recon information to hackers.”
Cyble concluded that “If the largest security vendors can be hit by infostealers, so can any organization, making basic cybersecurity practices like MFA, zero trust, vulnerability management and network segmentation important for minimizing – and ideally preventing – data breaches, ransomware and other cyberattacks.”
Updated at 1:28 a.m. UTC January 23, 2025: Vendor names were removed to preserve confidentiality.
