A new report from Cifas — the UK's leading fraud prevention organization — reveals that 13% of UK employees admit to selling company login credentials in the past 12 months, or know a colleague who has. The finding, from Cifas's Workplace Fraud Trends survey of 2,000 employees at companies with more than 1,000 staff, quantifies an insider-enabled access pathway that most enterprise security programs are poorly positioned to detect or deter.
The Cifas Data: Technical and Statistical Details
The Cifas survey asked UK employees at large enterprises (1,000+ staff) whether they had sold their corporate credentials in the past 12 months or knew of a colleague who had. Thirteen percent — approximately one in eight — answered yes.
Corporate credentials sold in this context include:
- Username and password combinations for enterprise systems: ERP (Enterprise Resource Planning — financial and operations management software like SAP or Oracle E-Business Suite), CRM (Customer Relationship Management — platforms like Salesforce), email, and cloud portals
- VPN (Virtual Private Network) access credentials — granting direct network-level access to internal infrastructure
- Privileged account credentials: administrator accounts, service accounts, shared administrative logins
- MFA (Multi-Factor Authentication) codes or recovery codes — enabling attackers to bypass the second authentication layer
- SSO (Single Sign-On) tokens — persistent session credentials that grant access to multiple systems simultaneously
When sold to criminals, these credentials enable insider-access attacks — intrusions that authenticate as a legitimate, trusted user. Many security controls that rely on behavioral baselines, impossible-travel detection, or IP reputation are less effective against this threat: an attacker using purchased credentials during normal business hours, from the correct geographic location, generates few alerts in most SIEM (Security Information and Event Management — software that aggregates and correlates security logs for threat detection) configurations.
The "Justifiability" Pattern: The More Dangerous Finding
Beyond the 13% prevalence, the Cifas data reveals a pattern that has direct implications for which accounts represent the greatest insider risk:
| Role | Consider credential selling justifiable | |——|—————————————–| | General employees | 13% | | Senior managers | 32% | | Directors | 36% | | C-suite executives | 43% | | Business owners | 81% |
This pattern is operationally significant because senior account privileges are the most valuable on the criminal market. C-suite and director-level credentials typically access:
- Financial systems with transaction authority
- M&A (Mergers and Acquisitions) documents and strategic planning materials under NDA
- HR systems containing salary data, personal information, and disciplinary records
- Board-level communications and investor relations materials
- Administrative interfaces for cloud infrastructure and security tooling
If C-suite executives are the population most likely to view credential selling as "justifiable" — at 43%, nearly half — then the accounts with the highest market value on the Initial Access Broker (IAB) market carry the least psychological resistance to sale. IABs (a class of cybercriminal that specializes in acquiring and reselling verified network access to ransomware operators and other threat actors) pay between $50 and $100,000 per access, with price determined by the organization's size, sector, and the privilege level of the account in question.
The justifiability gradient tracks with organizational power research: individuals who hold significant authority often rationalize side benefits as compensation they are owed. For security programs, this means awareness training focused exclusively on general employees misses the population most likely to act.
Exploitation Status and Threat Landscape
Credential-based initial access via insider sources is a documented factor in confirmed major breaches. The 2024 Snowflake breach — in which threat actors accessed customer data at Santander, Ticketmaster, LendingTree, and more than 160 other organizations — originated with stolen credentials, not zero-day exploitation. The ShinyHunters group, responsible for this week's Vimeo breach (119,000 records via supply chain partner Anodot) and the Instructure breach (280 million student records from 8,800 educational institutions), relies on credential acquisition as a primary access method.
When insiders actively sell credentials rather than losing them to phishing or malware, the threat model changes materially:
- The attacker receives pre-selected credentials — not a random harvest from a phishing campaign, but credentials specifically from an organization of known value
- The attacker may receive insider context — information about the organization's network structure, monitoring gaps, business hours, and which systems the account accesses
- The account behaves normally for longer — purchased credentials used within normal working patterns generate fewer alerts than attacker-controlled sessions originating from unusual locations or times
CISA classifies credential selling as malicious insider activity (distinguished from inadvertent insider behavior such as clicking a phishing link). The UK NCSC's annual threat reports document organized crime groups actively recruiting insiders at financial services firms and critical infrastructure operators, offering payments ranging from hundreds to tens of thousands of pounds.
Who Is Affected
The Cifas survey sample — 2,000 employees at UK companies with 1,000+ staff — reflects the large enterprise environment where credential markets are most developed and most active. The 13% finding is a UK measurement, but the underlying market dynamics are global: IAB marketplaces operate internationally, and the normalization of credential selling is not geographically constrained.
Sectors at elevated risk based on IAB market pricing and criminal demand:
- Financial services — banking system credentials, trading platform access, and SWIFT (Society for Worldwide Interbank Financial Telecommunication — the messaging network used for international bank transfers) network accounts command the highest IAB prices
- Healthcare — EHR (Electronic Health Record) system access enables medical identity fraud, insurance fraud, and ransomware staging
- Defense and government contractors — access to classified or export-controlled systems
- Technology companies — source code repository credentials, cloud infrastructure admin accounts, and customer data platform access
Any large organization with employees who perceive credential selling as low-risk and financially rational should treat the Cifas findings as directly applicable, regardless of geography.
What You Should Do Right Now
- Review privileged access controls for senior accounts. C-suite and director-level accounts should use just-in-time (JIT) access provisioning — granting elevated permissions only when needed and for defined time windows — rather than permanent standing privileges. Session monitoring should be enhanced for these accounts.
- Deploy UEBA (User and Entity Behavior Analytics — software that builds behavioral baselines for accounts and flags deviations consistent with compromise or misuse). Purchased credentials used by an external threat actor behave differently from the legitimate user over time: different access sequences, different data volumes, different working patterns. UEBA is the primary technical control that catches this.
- Enforce short-lived MFA and session token expiration on all high-value systems. Sold credentials become significantly less valuable if every session requires a fresh MFA challenge and tokens expire within hours.
- Run insider threat awareness training that explicitly covers credential selling — not just phishing hygiene. Employees at all levels, including senior management, should understand that selling credentials constitutes computer fraud under the UK Computer Misuse Act (and equivalent legislation globally) and carries criminal penalties including imprisonment.
- Conduct periodic dark web monitoring for credentials associated with your organization's email domains. Services including Have I Been Pwned Enterprise, Recorded Future Identity Intelligence, and Mandiant Advantage Threat Intelligence alert on credential exposure in criminal markets before attackers leverage it — giving defenders a window to force password resets and session invalidation.
- Review the Cifas Workplace Fraud Trends Report for additional findings on internal fraud vectors relevant to your organization's insider threat posture.
Background: The Insider Credential Economy
The credential marketplace operates on a tiered structure. At the low end, automated infostealer malware — LummaC2, Vidar, RedLine — harvests credentials from infected machines and sells them in bulk on Telegram channels for $5–50 per batch. At the high end, IABs sell curated, verified access to specific enterprise networks — access sometimes sourced directly from employees who made a deliberate decision to sell rather than from malware infection.
The Cifas data suggests high-end, deliberate insider supply is more prevalent than the security community typically acknowledges. Thirteen percent of employees in a large-enterprise sample is not a marginal edge case — it represents a material and measurable insider threat risk at scale.
The intersection of several factors sustains the market:
- Financial pressure on employees has increased across sectors, raising the appeal of supplemental income
- Low perceived risk of detection — employees reasonably assess that employers are better at detecting external attacks than internal credential sales
- Normalization at senior levels — when C-suite executives at 43% view credential selling as justifiable, the organizational culture does not function as a deterrent
- A well-functioning criminal market with reliable buyers, escrow-style transaction mechanisms on marketplace platforms, and payment in cryptocurrency that reduces traceability
The security program implication is structural: external-focused threat detection — firewalls, EDR, phishing filters, network intrusion detection — does not see insider credential sales because the attack begins outside the organization's visibility. The credential is sold in a criminal marketplace, used by an attacker who authenticates legitimately, and generates logs indistinguishable from normal user activity. Detection requires UEBA, privileged access monitoring, and dark web intelligence — tools that many large organizations have deployed incompletely or not at all.
Conclusion
One in eight workers at large UK enterprises has sold or knows someone who has sold corporate credentials — and nearly half of C-suite executives consider it justifiable. Organizations relying on perimeter controls and phishing training to address this risk are looking in the wrong direction. Privileged account monitoring, UEBA deployment, short-lived session tokens, and insider-threat-aware awareness training are the controls directly relevant to the vector the Cifas data quantifies.
For any query contact us at contact@cipherssecurity.com
