Credential Theft and the Dark Web: Why SMEs Need to Stay Alert

Credential theft (i.e., illegally obtaining a business or individual’s username(s) and password(s)) can be an incredibly lucrative - and often remarkably easy - endeavour for digital delinquents.

All it takes is a dash of login-harvesting malware. Or even a spot of social engineering, say a phishing email pretending to be from a trusted provider like Microsoft, Google, or even an individual known to the victim, asking them to log in to a fake (but realistic looking) web page designed to let the criminal hoover up those details.

With those credentials, a criminal can access that business or individual’s digital estate, potentially doing untold damage. Alternatively, they can package those credentials up for sale or distribution to other criminals - enabling countless other villainous parties to access those compromised accounts.

And one compromised business account could expose all manner of highly sensitive information like the contents of emails, financial information, personal employee data, trade secrets, and more.

So, to understand the risks that are out there, we need to be aware of the criminals’ territory - the dark web - and a significant chapter of their playbook - credential theft.

Let’s dive right in.

What is the Dark Web?

The dark web is a tiny part of the world wide web that requires particular tech setups, software, and authorisation to access. Due to the high levels of encryption required to use the dark web, it affords its users a high level of anonymity.

Understandably, this capacity for strong anonymity has attracted a certain degree of illegal and/or objectionable activities to the dark web. However, as we’ll explore shortly, not all dark web activity is criminal in nature.

Understanding the Dark Web: The WWW Iceberg

The web as we know it can be split into three parts, often envisaged as parts of an iceberg:

• The Surface Web: This represents publicly available information like public websites, online shopping sites, etc. This makes up around 5% of the web.
• The Deep Web: This represents the non-public part of the web that generally requires a secure log in to access. It can include things like email, internet banking, private messaging, private databases, corporate cloud resources, etc. This makes up a whopping (yet approximate) 90% of the web.
• The Dark Web: This is the internet's “underground,” which can include illegal trading and media like malware, but can also include non-objectionable communications too. This makes up the final 5% of the web.

What Happens on the Dark Web?

It’s simplest to divide what goes on over the dark web into “the objectionable stuff” and “the non-objectionable stuff”:

What Illicit Activity Takes Place on The Dark Web?

The dark web is often considered the internet’s criminal underbelly, and for relatively good reason. Its baked-in anonymity and “anything goes” spirit have naturally attracted a certain level of criminality, such as:

• Trading malware, knowledge of IT vulnerabilities, and hacking-for-hire services.
• Trading illicitly obtained login credentials pertaining to both individuals and organisations.
• Trading illegal and objectionable goods and media.
• Coordinating criminal endeavours like cyberattacks, scams, fraud, hacking, extremism, and more.

What Non-Illicit Activity Takes Place on The Dark Web?

But not all of the dark web is inherently bad or objectionable. There are non-illicit, harmless, and even positive things that take place there too:

• Open sharing of information for journalistic and public interest purposes (e.g., whistleblowing, activism)
• Provides freedom of expression to individuals living under, or looking to escape, oppressive circumstances.
• Research and academia, primarily focused on cybersecurity, digital privacy, and online communities.
• Anonymous sharing and discussion of sensitive, but not illegal, information.
• Communication between dark web “hobbyists,” digital explorers, and community participants.

But despite this more promising side of the dark web, sadly the majority of the dark web (57% as of 2020) contains illegal content.

Now, let’s turn our attention to credential theft - a lucrative cyberattack vector that’s inextricably intertwined with dark web criminality.

The Predominance of Credential Theft

Credential theft has become a particular focus for cybercriminals recently.

Social engineering (such as phishing) has historically been a common method of stealing login credentials, with around 80% of phishing attacks aiming to steal login credentials. However, infostealing malware is rapidly gaining pace as criminals' credential-snatching method of choice.

Picus’s Red Report 2025 reveals that the prevalence of malware targeted at stealing credentials from password stores has risen from 8% in 2023 to 25% in 2024 - that’s an alarming 3x surge in prevalence.

The risks of credential theft are higher than ever, and climbing. It’s clear that mere “login and password” authentication is no longer secure enough to withstand the rigours of the modern internet.

So why is credential theft such a strong draw for cybercriminals? Well, it gives them a foot in the door into an organisation’s IT infrastructure, and there’s so much that a criminal can do with even a single username and password, including but not limited to:

• Reconnaissance: Simply using the login to access the account in question and learning what they can about a target organisation, including identifying security loopholes. Even access to an entry level individual’s email account can share valuable information about how information, and money, flows around an organisation.
• Business Email Compromise (BEC): These are highly targeted attacks developed to imitate a known party, designed to trick employees into sending money, information, or access. Because they are so tailored, they can be highly believable, tricking even the most cyber-savvy individuals.
• Escalating Privileges: If the criminal obtains an account with certain privileges, they may be able to use that privilege to access certain information, or use it to create a higher privilege account.
• Deploying Malware: The criminal can use their access to deploy and spread malware or ransomware across an IT estate, or harness some kind of security backdoor to their advantage.
• Data Theft: Stealing information pertaining to customers, employees, or trade secrets.
• Supply Chain Attacks or Recon: Accessing or investigating supplier systems in order to enact a wider campaign of attack throughout the supply chain.

Though credential theft is far from the only way that a company's information ends up on the dark web, it’s unique in that a single set of login details can serve as a massive starting point for an attack.

Also unique is the fact that cybercriminals commonly trade large swathes of stolen credentials on the dark web. And most scarily, login details relating to your organisation can be sloshing around on the dark web now, without you even knowing!

Which is why we’re offering a free dark web scan to all UK small businesses.

Request Your Free Dark Web Domain Scan

Are your organisation’s login credentials being illegally traded in the back-alleys of the internet? Find out for certain, for free, with Penken Technology’s dark web breach report.

Our automated scan scours all known dark web forums, marketplaces, and breaches; hunting for places where your organisation’s domain is present. This results in a report which precisely details which of your domain's email addresses and passwords are currently in circulation.

So take the first step in defending your business from credential theft. Request your free report and uncover what the bad guys know about you.

Claim Your Free Dark Web Scan

“What Should I Do If My Business Login Credentials Are Found on the Dark Web?”

If any dark web scan (not just ours) flags that login credentials belonging to your business have been breached, what can you do?

Well one great option is to get in touch with the team at Penken Technology! Or failing that, do the following immediately:

1. Determine which accounts are affected: Our dark web scan will detail which accounts and passwords have been breached, so you can directly uncover which accounts could have been compromised.
2. Change those passwords immediately: change passwords on any accounts that use that username and password combination. Always aim to use different passwords for every different account - our random password generator might be helpful. Consider investing in a password management tool if you don’t have one already.
3. Investigate any potentially affected accounts: Take a look at the access logs on that account, have criminals been able to access the account? Have they accessed any data? Have they made any changes to access or privileges? Have the associated email addresses or phone numbers received any social engineering messages relating to these logins that might be further efforts to compromise the account?
4. Enable Multi-Factor Authentication: Enable authentication beyond just username and password. Authentication apps that offer a one-time pass, biometric authentication, or even hardware authentication devices provide much more robust authentication than a mere password. It might also be helpful to understand the inherent limitations of passwords, and explore the benefits of passwordless authentication.
5. Check your data logs: Establish whether any of your business critical information has been accessed, taken, or tampered with, preferably using logs outside of the afflicted accounts.
6. Assess Regulatory Requirements: Establish whether your breach requires you to notify regulatory bodies like the ICO.
7. Implement Stringent Access Controls: If possible, limit access to your critical systems in whatever other ways you can, e.g., restricting access only to geographical areas that make sense for your organisation.

Need Help Fending Off Cyber Threats?

Whether you’ve discovered you have some credentials floating around the dark web, you’ve suffered some other kind of breach, or you just want some help in shoring up your cyber defences, the team at Penken Technology can help.

Just book a quick chat with Mark, our head techie, to get things started.

Not sure if your credentials have been breached? Request your free dark web scan here.