Thousands of Security Vendor Credentials Exposed on the Dark Web

• Leaked credentials from 13 of the largest enterprise security vendors and their customers were discovered online.
• The leaked accounts target Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom.
• Security researchers attributed this finding to infostealers that affected these companies.

Account credentials belonging to several major cybersecurity vendors have surfaced on the dark web. The leaked credentials, some priced as low as $10 on cybercrime marketplaces, span both internal and customer accounts, posing significant risks to enterprise and customer environments alike.

The Cyble cyberthreat report identified leaked credentials from 13 of the largest enterprise security vendors, as well as some prominent consumer security companies. 

The credentials, primarily extracted from infostealer logs, were sold in bulk on underground marketplaces. Most concerningly, these exposures include access to sensitive internal systems and customer interfaces.

The leaked accounts target key web and cloud platforms, such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom. Authentication systems, password managers, and device management platforms are also impacted. 

While Cyble did not verify the validity of these credentials, many relate to accessible web console interfaces and SSO logins, exposing significant risks.

Although many of the credentials appear to be for customer-facing accounts, Cyble’s findings reveal that critical internal systems—such as developer accounts, product interfaces, and customer data management environments—were also compromised. 

For one particularly large security vendor, company email addresses were listed alongside credentials for sensitive accounts, suggesting potential exposure of highly privileged access.

Such leaks are not merely a risk to account access but also serve as a trove of reconnaissance data for threat actors. Leaked credentials, paired with URLs for management interfaces, could provide key insights into an organization’s infrastructure, the tools they use, and potential vulnerabilities—all valuable for planning further attacks.

Cyble researchers focused solely on credentials leaked since the start of the year. Credential leaks have an inherent time value because older passwords are more likely to have been changed. However, any delay in addressing exposed accounts amplifies the risk of larger security incidents.