In a recent analysis of the top 1,000 global companies, 97 percent were found to have had leaked credentials that were made publicly available on the Web. While this statistic is disturbing enough by itself, what is more troublesome is how that information is captured and made public.
Many leaked credentials come as the result of an organization suffering from a data breach, but another method that attackers are using is to steal credentials from a third-party source, similar to what happened when Spotify and Pandora were attacked. In both of these incidents, corporate emails used to sign up for accounts were either published or sold. Dating and adult websites are also common places where corporate emails are inappropriately used to create accounts, resulting in more than 300,000 corporate or government worker email addresses being exposed.