Your Staff’s Credentials Could Be For Sale Right Now

Cyber Security | All Industries | 6 min read

Somewhere on the internet, there is a list. It contains email addresses and passwords belonging to businesses across the North West. Accounting practices, recruitment agencies, law firms, financial advisers. Some of those credentials still work. Most of those businesses have no idea.

How Business Credentials End Up For Sale

It does not happen the way most people imagine. Nobody “hacks” your business directly. The typical path looks like this:

1. A third-party service gets breached. A supplier, a software platform, an online tool your staff signed up to years ago. Their database gets stolen.
2. The stolen data gets packaged. Email addresses, passwords (sometimes hashed, sometimes plain text), names, phone numbers. Bundled into files containing millions of records.
3. The data ends up on criminal marketplaces. Sold in bulk, traded, or dumped publicly. Your staff member’s work email and the password they used on that third-party site are now available to anyone willing to look.
4. Attackers test those credentials everywhere. If your staff member used the same password (or a variation of it) for their work email, Microsoft 365, or practice management software, the attacker is in. No phishing required. No malware needed. They just log in.

This is why 85% of cyber attacks in the UK start with compromised credentials or phishing (DSIT Cyber Security Breaches Survey 2025). Attackers do not break in. They log in.

What a Credential Exposure Check Actually Reveals

When we run a credential exposure check against a business domain, we are searching the same databases that attackers use. Here is what a typical check looks like for a 15-person professional services firm:

The numbers vary. Some businesses come back clean. Most do not. The pattern we see is that longer-established firms with senior staff tend to have more exposure, simply because those email addresses have been in use longer and registered on more services over the years.

Why This Matters More Than You Think

It only takes one working credential

If an attacker gets into one email account, they can:

• Read every email in that inbox (client data, financial details, internal discussions)
• Send emails as that person (invoice fraud, impersonation, phishing your clients)
• Reset passwords on other systems using that email as recovery
• Sit quietly for months, reading and waiting for the right moment

The average time to detect a breach in the UK is 232 days (IBM Cost of a Data Breach 2025). That is nearly 8 months of someone reading your emails before anyone notices.

Your industry makes it worse

Accountants: Client bank details, tax returns, National Insurance numbers. An attacker in your email during tax season has access to everything they need for identity fraud. With the April 5 deadline approaching, the pressure to keep working makes it harder to spot something unusual.

Recruitment agencies: Candidate CVs, passport copies, right-to-work documents, payroll data. GDPR requires you to protect this data. A breach means an ICO notification, not just an inconvenience.

Law firms: Client confidentiality is an SRA requirement, not a suggestion. A compromised email account that exposes privileged communications creates regulatory exposure on top of the security incident itself.

Financial services: FCA-regulated firms face Consumer Duty obligations around data protection. A credential-based breach can trigger Section 166 reviews, where the average cost is £460,000 (FCA FOI disclosure 2023/24).

What To Do If Your Credentials Are Exposed

If you suspect (or discover) that staff credentials have been compromised, here is what to do immediately:

1. Change passwords now

Every account that uses the exposed email address needs a new, unique password. Not a variation of the old one. A completely different password. Use a password manager to generate and store them.

2. Enable multi-factor authentication

MFA means that even if an attacker has the password, they cannot get in without a second verification step. Only 40% of UK businesses currently use MFA on their email (DSIT 2025). If you are in the other 60%, this is the single most impactful thing you can do today.

3. Check for signs of existing compromise

Look at recent sign-in activity on your Microsoft 365 or Google accounts. Check for:

• Logins from unfamiliar locations or devices
• Email forwarding rules you did not create (attackers set these to silently copy your mail)
• Sent items you did not send
• Password reset emails for other services

4. Tell your team

This is not something to handle quietly. If one person is exposed, others probably are too. Brief the team, reset affected passwords across the practice, and make MFA mandatory for everyone.

5. Get a proper assessment

A credential exposure check tells you who is exposed. A vulnerability assessment tells you what an attacker could actually do with that access. The two together give you a complete picture of your risk.

The Question Most Businesses Never Ask

Here is a simple test. Ask your IT provider (or whoever manages your technology) two questions:

Even if you never work with us, those two questions are worth asking. The answers will tell you whether your current setup is protecting you or just giving you a false sense of security.