One in Eight Employees Admit Selling Corporate Login Credentials, Threatening Enterprise Access
What Happened — A Cifas study of 2,000 employees at firms with ≥ 1,000 staff found that 13 % have sold their corporate login credentials or know a colleague who did in the past 12 months. The practice is most common among senior managers, directors, C‑suite executives and business owners, many of whom hold privileged access to critical systems.
Why It Matters for TPRM —
- Credential sales create a direct supply‑chain of compromised accounts that attackers can leverage against third‑party vendors.
- High‑privilege insiders bypass least‑privilege controls, exposing sensitive data and downstream services.
- The phenomenon is global; similar breaches have been reported at Fortune 500 firms and outsourcing partners.
Who Is Affected — Large enterprises (≥ 1,000 employees), especially those in finance, SaaS, professional services, and any organization relying on cloud platforms such as Microsoft 365, Salesforce, and similar.
Recommended Actions —
- Conduct a credential‑use audit and enforce strict least‑privilege policies.
- Deploy continuous monitoring for anomalous login behavior and credential reuse.
- Implement robust insider‑threat programs, including regular awareness training on the legal and security ramifications of credential sales.
- Review third‑party access agreements to ensure vendors cannot be compromised via sold credentials.
Technical Notes — The compromised credentials stem primarily from phishing and infostealer campaigns tracked by KELA (≈ 2.9 B credentials in 2025). Sold credentials are often traded on underground markets, enabling account takeover attacks that surged 6 % in the US last year (Verizon). Source: Malwarebytes Labs