Over 460k instances of stolen employee credentials discovered across FTSE 100, Socura report reveals

New research in partnership with Flare highlights growing threat from infostealer malware, weak passwords, and the targeting of UK business leaders

News
November 18, 2025

Cardiff, Wales, 11th November 2025 – Socura, a UK-based cyber security services provider that protects many of the nation’s biggest NHS trusts, councils, and private companies, has released its report, ‘FTSE 100 for sale’. Produced in partnership with Flare, the leader of threat exposure management, the report reveals the alarming scale of stolen employee credentials across the UK’s largest companies.

Following an analysis of cybercrime communities across the clear and dark web, the report found more than 460,000 instances of stolen credentials linked to FTSE 100 employees. The rising dangers of infostealer malware and the continued use of weak passwords are also highlighted.

Key findings of the report include:

  • 15 FTSE companies have more than 10,000 instances of stolen credentials available online. One company has over 45,000 instances
  • 28,000 instances of corporate credentials from FTSE 100 businesses leaked via infostealer logs
  • 59% of FTSE 100 companies have at least one employee using‘ password’ as a password
  • Evidence of a potential death threat made against a FTSE 100 CEO
“The FTSE 100 includes some of the largest and most trusted brands in the UK”, said Andrew Kays, CEO at Socura. “Yet our analysis shows that these companies struggle with the same core cybersecurity concerns as other businesses. A rise in infostealer malware is leading to the theft of credentials on a huge scale, and the problem is being made worse by the common practice of employees using the same weak passwords for both work and personal accounts.”

Stolen passwords pose a severe threat to organisations because they are commonly sold on dark web forums to more technically skilled criminals who use them to infiltrate systems and deploy ransomware.

“Cybercriminals are opportunists”, said Anne Heim, Threat Intelligence Lead at Socura. “Most won't waste precious time hacking for credentials when they can easily find or buy them online. Implementing Multi-Factor Authentication (MFA) using passkeys, monitoring threat exposure for new data leaks, and swiftly detecting and responding to malware and suspicious logins need to be considered part of the baseline all businesses need to achieve to minimise risks.”
“Our collaboration with Socura highlights how actionable threat intelligence can uncover the real scope of cyber risk facing even the most well-resourced organisations,” said Andrew Bartlam, VP of Channel & Global Alliances at Flare
“There’s no doubt anymore that identity is the new perimeter. With the industry’s most comprehensive collection of darkweb and cybercrime data sources, Flare can not only detect active leaked credentials the moment they appear, but also validate whether they’re still live — enabling immediate remediation, password resets, and mitigation before attackers can sell and exploit them. In effect, the second those credentials pop their heads up out of their dark hole, Flare is waiting — with a baseball bat — to nullify their impact.”
Methodology

Using the FlareThreat Exposure Management platform, researchers from Socura and Flare analysed the domains of every FTSE 100 company to find leaked credentials. The Flare platform monitors the clear and dark web, including more than 58,000 cybercrime communities and forums.

The figures stated in the report represent the aggregate number of credential instances discovered, not necessarily the number of unique employee accounts compromised.

Recommendations

To strengthen security posture against the risks of leaked and stolen credentials, Socura recommends that organisations implement the following steps:

  • Enforce strong password policies by following NCSC best practices and educating employees on creating unique passwords and using a password manager.
  • Implement multi-factor authentication as a standard across all devices and services to drastically reduce the impact of leaked credentials. The use of passkeys and other phishing-resistant forms of MFA is strongly advised over other forms of authentication, which can be susceptible to adversary-in-the-middle attacks.
  • Use conditional access policies to grant or block user access based on factors like authentication strength, device compliance status, and user risk level.
  • Monitor your attack surface proactively by regularly checking for leaked credentials and immediately resetting passwords for any compromised accounts.
  • Manage the risks of personal devices by implementing a clear Bring Your Own Device(BYOD) policy that requires MFA for accessing any work-related services
  • Implement robust detection controls to alert on suspicious behaviour, such as unusual logins and activity that could identify infostealer malware.
Resources
About Socura

Socura is a Managed Detection and Response provider bringing the power of calm to organisations across the UK. In a never-changing landscape, we empower teams with the clarity, control, and confidence to minimise cyber security risk and thrive.

Trusted by businesses and critical infrastructure, we deliver a precise, measured, and personal service that shuts down threats swiftly and effectively. We’re proud to be ranked among the top 250 managed security service providers globally.

About Flare

Flare is the leader in Threat Exposure Management, helping global organisations detect high-risk exposures found on the clear and dark web. Combining the industry’s best cybercrime database with a ridiculously intuitive user experience, Flare enables customers to reclaim the information advantage and make cybercrime irrelevant.

Contact

Mike Marquiss

Decoded Comms

[email protected]