Over a million email addresses from the UK’s 500 top law firms were found on the Dark Web, according to Securing the Law Firm, a study by cybersecurity vendor RepKnight.
Overall, 1.16 million credentials were available on the Dark Web and dump/paste sites, for an average of 2,000 email addresses per law firm. Almost 800,000 contained passwords, most often visible as plain text.
The exposure leaves them vulnerable to phishing scams and data theft, the firm says.
Among the exposed credentials were 80,000 addresses from the industry’s Magic Circle Top 20, and 30,000 from the largest firm alone.
Most of the information was exposed through third-party data breaches — for example, when where a corporate email address had been used on a site like LinkedIn or Dropbox that was later compromised.
More than half of the exposed credentials had been posted within the last six months.
The breached passwords puts “staff — and the law firm’s network — at significant risk from ‘credential stuffing’ attacks, where bots are used to repeatedly try the same username and password on multiple sites,” the study states.
RepKnight profiled 620 domains belonging to 500 law firms, using its BreachAlert Dark Web monitoring platform. Each law firm had at least one credential compromised. There was no suggestion the firms were hacked.
“The truth is that no company in the world is safe from the threat of the Dark Web,” states Patrick Martin, cybersecurity analyst at RepKnight.
He adds: “The top 500 law firms RepKnight analyzed almost certainly have done anything wrong cybersecurity-wise, but all it takes for a breach to occur nowadays is or a single employee to accidentally fall for a phishing email or send sensitive data via email accidentally to the wrong person. It’s almost impossible to prevent.”