UK law firms have leaked over a million email addresses (most with passwords) online

In excess of a million email addresses and hacked credentials taken from some of the UK’s foremost legal firms are floating around on the dark web, according to a new report.

To be precise, security outfit RepKnight reckons that it found almost 1,160,000 email addresses drawn from the top 500 UK legal firms, with the largest company having over 30,000 email addresses exposed on the dark web.

More worrying was the fact that 80% of those email addresses had been exposed via third-party security breaches which also contained password details – with the latter often in plaintext (i.e. not encrypted or protected in any manner).

Almost all of these details had been exposed by big third-party data breaches, incidentally. Even if the emails aren’t linked to passwords – or those passwords are properly encrypted – cybercriminals can use the email addresses themselves to potentially launch targeted spear phishing attacks with the goal of obtaining a password.

No one is safe

Patrick Martin, cybersecurity analyst at RepKnight, commented: “The truth is that no company in the world is safe from the threat of the dark web. The top 500 law firms RepKnight analysed almost certainly haven’t done anything wrong cybersecurity-wise, but all it takes for a breach to occur nowadays is for a single employee to accidentally fall for a phishing email or send sensitive data via email accidentally to the wrong person. It’s almost impossible to prevent.

“The data we found represents the easiest data to find – we just searched on the corporate email domain. A far bigger issue for law firms is data breaches of highly sensitive information about client cases, customer contact information, or employee personal info such as home addresses, medical record and HR files.”

Martin recommends that all companies should operate a ‘dark web monitoring’ solution of some manner, so they can be alerted to any leaked credentials if they should be spilled in the dark corners of the net.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).