Over one million law firm passwords found on dark web

Avatar photo

By Legal Cheek on

4

Hackers increasingly exploiting vulnerabilities

Hacker in data security concept. Hacker using laptop. Hacking the Internet. Cyber attack.
New research has uncovered more than a million passwords linked to the IT systems of UK law firms on the dark web.

Researchers found that nearly three-quarters (72.2%) of the 5,140 law firms audited had employee username and password combinations that appeared in lists circulating in the darkest corners of the internet.

A total of 1,001,313 passwords were discovered, averaging 195 password combinations per firm or 1.27 per individual staff member.

Atlas Cloud, the IT outfit that conducted the research, warns that cybercriminals could use this information to infiltrate a firm’s IT systems, potentially gaining access to valuable data or intercepting transactions.

Last autumn, before its merger with Shearman, Allen & Overy confirmed that it had “experienced a data incident affecting a small number of storage servers” after reportedly being targeted by a hacking group with ransomware. Similarly, in 2017, Legal Cheek reported that hackers had taken DLA Piper‘s computer systems and phones offline using malicious software.

The latest study identified additional cyber threats, revealing that DMARC — a crucial security measure to prevent domain hijacking — has been implemented by less than half (46.2%) of firms. If a domain is hijacked, it allows criminals to send emails that appear to come directly from the firm, creating numerous opportunities for exploitation, the research warns.

 The 2025 Legal Cheek Firms Most List

Pete Watson, CEO of Atlas Cloud, said:

“The sheer volume of password combinations available to criminals is a stark reminder of the threat that cyber poses to a firm. You can minimise this risk by applying multi-factor authentication on your systems, which adds an additional one-time authentication token, but criminals have been known to find ways around this too.”

“It’s circumvented by tricking users to do something,” Watson continued. “That means the only true way to eliminate this threat is ensuring everyone representing your firm has a strong awareness of the tactics criminals are using today.”

Separate research from earlier this year reveals that the number of UK law firms reporting cyber attacks has risen sharply, with breaches surging 36% from 166 to 226 in the year ending September 30.

4 Comments

Reuben

There are a huge number of law firms being hit by data breaches. The ones that are reported/make the press are just the tip of the iceberg.

Anon

Well that’s frightening.

Anonymous

What an enlightening, valuable contribution to the thread. Thanks so much.

Smiffy

Does that mean they become visible if you increase the screen brightness?

Join the conversation

Related Stories

Cyber attacks on UK law firms surge by over a third

Criminals seek sensitive info

Feb 20 2024 7:51am

A&O remains tight-lipped over hacker ransom

Magic Circle player suffered data breach earlier this month

Dec 1 2023 11:03am

BPP targeted in cyber attack

Law school giant liaising with experts following 'incident'

Aug 3 2023 11:01am
5