A little over 21 million login credentials stolen from Fortune 500 companies have been found in various places on the dark web, many of them already cracked and available in plaintext form.

The information was compiled by crawling multiple resources, like markets in the Tor network, web forums, Pastebin, IRC channels, social networks, and messenger chats.

Cracked passwords ahead

21,040,296 is the exact number of credentials belonging to companies ranking in the first 500 that security researchers found on the web.

Most of them were from tech companies, closely followed by organizations in the financial industry. Entities in the healthcare, energy, telecommunications, retail, industrial, transport, aerospace and defense sectors are also on the list.

Not all of them are fresh, though. ImmuniWeb says in a report published today that 16,055,871 of the credentials they found were compromised in the past 12 months.

However, the researchers reveal a worrying statistic: "95% of the credentials contained unencrypted, or brute-forced and cracked by the attackers, plaintext passwords."

Using machine learning technology, the researchers were able to determine the accuracy and reliability of the data set by cleaning it of fake leaks, duplicates and default passwords set automatically.

Hilariously weak popular passwords

Despite finding as many as 21 million login records, the report notes that only 4.9 million of them were unique, "suggesting that many users are using identical or similar passwords."

Of course the most insecure password and variations of it are present in the data set; and they were found in data sets for companies in almost all verticals, except the financial one, where users relied on other, equally weak logins.

Although it was not the most popular in all cases, "password" and its variants exist in the top five most used passwords.

A simple glance at the passwords below makes it clear that companies still haven't learned how to protect access to their assets and that recommendation for using a strong password flew right past them.

Even an uncomplicated phrase that does not use special symbols, numbers or upper case letters is better than any of them.

According to the report, the weakest logins were from the retail industry, where almost half of the passwords were less than eight characters long and could be found in common dictionaries.

However, companies in other industries are not far behind in this. Most industries in the top ten with the weakest passwords from ImmuniWeb's report have a third or more logins that could be cracked in seconds.

The researchers note that about 11% of the passwords from a data breach are identical. This could be explained by the use of default passwords, bots creating accounts.

A reset procedure that defined the same password for a large number of accounts is another possibility, ImmuniWeb says. Additionally, there may be a connection between the number of subdomains with a poor web security grade (C or F) and the exposed credentials as they are proportional.

Ilia Kolochenko, CEO and Founder of ImmuniWeb says that cybercriminals focus on the shortest, least resistant path to get what they want. Given the login data in the report, they have no trouble getting their prize.