Top 500 Legal Firms Have Over a Million of Their Credentials Leaked on the Dark Web


Hackers have dumped files in the Dark Web containing nearly 1.2 million email addresses and credentials from the UK's top 500 law firms. Security researchers from RepKnight cybersecurity firm revealed earlier today that over 1,159,687 email addresses were found in these dump and over 80 percent of these were linked to leaked passwords.

The firm, however, adds that most of this data doesn't come from any direct attacks and is a result of several third party breaches. But that doesn't mean it isn't damaging for the law firms who are now at risk of attacks since many of these passwords in plaintext are expected to work despite the security breach notifications.

Security Researcher Develops Normal-Looking Lightning Cable With a Chip That Can Steal Passwords

"Legal firms have access to some of the most sensitive data imaginable about their clients – whether corporate or private," the researchers wrote. "And just like any other company, they hold personal information about their employees, such as home address, contact details, bank account numbers and pension information."

But just how secure is the average law firm?

The researchers analyzed the "dark web footprints of domains belonging to the top 500 law firms in the UK, and discovered details of more than 1 million hacked, leaked or stolen credentials being circulated online – that’s an average of 2,000 email addresses per firm."

Every single of these top 500 law firms had at least 1 credential exposed, with the largest one accounting for 30,000 leaked email addresses. Most of this data made it to the dark web because legal professionals used their work emails to sign up for websites and services (like LinkedIn, MySpace, Tumblr, etc) that were later breached.

Data breaches and dumps put users at risk of phishing, credential stuffing, and identity fraud

While email addresses alone put users at risk of phishing attacks, passwords make things worse. Leaked password not only puts that person but an entire network at risk of credential stuffing attacks, the researchers wrote. In these attacks, bots are used to repeatedly try the same username and password on multiple sites. Then, there are spear phishing attacks or identity fraud, where leaked credentials are used as part of a targeted cyberattack on that individual.

"The data we found represents the easiest data to find as we just searched on the corporate email domain," Patrick Martin of RepKnight said. "A far bigger issue for law firms is data breaches of highly sensitive information about client cases, customer contact information, or employee personal info such as home addresses, medical record and HR files," he added.

"That's why, in addition to securing their networks, every firm should be deploying a Dark Web monitoring solution, so they can get alerted to leaks and breaches immediately."