Research from UK anti-fraud organization Cifas reveals that 13% of employees at large enterprises (those with 1,000+ staff) have either sold their company login credentials or know colleagues who did within the last 12 months. The survey of 2,000 workers uncovered a troubling trend where insiders voluntarily provide access to corporate systems, often believing the practice is harmless. This insider threat compounds the existing problem of compromised credentials, with threat intelligence firm KELA tracking nearly 2.9 billion stolen credentials globally in 2025, most obtained through phishing and infostealer malware.

The problem grows more severe at higher organizational levels. While lower-level employees show some participation in credential sales, 32% of senior managers find the practice justifiable, along with 36% of directors and 43% of C-suite executives. Most alarmingly, four in five business owners surveyed consider selling credentials acceptable. These senior roles typically maintain broader system access even under least-privilege security models, making their compromised accounts particularly valuable to attackers seeking sensitive data and system functions.

The technical implications extend beyond individual account compromises. Account takeovers in the United States increased 6% to over 78,000 incidents last year, according to Verizon data. While many hijacked accounts belong to personal services, business platforms like Microsoft 365 and Salesforce represent high-value targets containing proprietary company information and customer data. Malwarebytes research found that 111 Fortune 500 companies experienced employee credential leaks in a single 30-day period, with 73% of Fortune 500 firms losing control of at least one employee credential over longer timeframes.

This insider risk affects customers directly, not just the employing organizations. When executive credentials reach criminal markets, customer databases often follow. Malwarebytes data shows 91% of Fortune 500 companies have experienced customer credential leaks, and compromised employee accounts provide attackers with pathways to customer information. Real-world incidents support this pattern, such as when Coinbase disclosed that employees at a Bangladesh-based outsourcing partner sold customer records to hackers.

Organizations should implement multiple defensive layers: enforce strict least-privilege access policies limiting each account to necessary functions only, deploy monitoring systems to detect credential leaks on criminal markets, and conduct regular security awareness training emphasizing that credential sales enable serious crimes including data theft and system compromise. Companies should also audit access permissions for senior staff regularly and consider additional authentication requirements for high-privilege accounts. Consumers should question why businesses need specific personal information and assume their basic contact details may already be circulating on data broker markets.

Source: https://www.malwarebytes.com/blog/news/2026/05/1-in-8-employees-have-sold-company-logins-or-know-someone-who-has