Skip to main content
Emerging Threats

UK Workers Sell Corporate Logins, Exposing Firms to Cybercrime

Employees in a dimly lit office break room subtly exchanging a piece of paper or USB drive.

Thirteen percent — roughly one in eight — of UK employees in large firms admit they have sold corporate logins in the past 12 months or know someone who has, according to a new Cifas report.

Cifas survey: scale and attitudes inside large employers

Cifas, the non‑profit fraud prevention service, based its findings on responses from 2,000 UK employees working in companies with 1,000+ staff. The survey found that 13% of respondents admitted selling their corporate credentials over the previous 12 months or knew someone who had. The same proportion — 13% — also said they thought selling credentials was "justifiable."

That sense of justification rises sharply by seniority: 32% of senior managers, 36% of directors, 43% of C‑suite executives and a striking 81% of business owners said they regarded the sale of logins as justifiable. Cifas director of learning Rachael Tiffen framed the problem as cultural as much as technical. "These findings show how vital it is for organizations to build fraud‑aware cultures, where employees at all levels understand their responsibilities and the consequences of their actions," she said. "Counter‑fraud training plays a central role in helping staff recognize manipulation, appreciate the risks associated with insider activity, and act with integrity when handling access to systems and data."

Financial consequences highlighted by DTEX

The survey's human findings sit alongside quantitative loss data from other vendors. DTEX reports that malicious incidents made up 27% of the total lost to insider risks last year, representing $4.7m of losses. DTEX further calculates that, on average, global organizations lost $19.5m per business to either negligence or deliberate acts such as sharing sensitive data including credentials.

Those figures position credential sales — whether transactional, opportunistic or coerced — as a vector that can produce immediate, measurable financial harm to employers large and small.

Credential markets and FTSE100 exposures: Socura/Flare

Separate market intelligence underscores how sold or stolen logins feed a broader cybercrime economy. A 2025 Socura/Flare report identified 460,000 compromised credentials belonging to employees at FTSE100 firms circulating on cybercrime sites. The report's authors also reported finding 28,000 corporate credentials in stealer logs — an average of 280 credentials per FTSE100 company — and noted that many of these credentials arise not from malicious insiders but from external attacks.

KELA's snapshot and the global pipeline of compromised credentials

KELA's study last month recorded 347 million compromised credentials on 3.9 million compromised machines. KELA placed those numbers within a larger context: the 347 million were part of an estimated 2.9 billion compromised credentials tracked globally in 2025. The continued pipeline of compromised credentials into the cybercrime economy, the reporting concludes, makes things much harder for network defenders — it "renders traditional perimeter defenses virtually useless."

What this means for corporate security teams, senior leaders, and FTSE100 IT teams

  • Corporate security teams: The Cifas data underscores an insider risk that is both behavioral and technical. Teams already contending with stealer logs and large pools of compromised credentials face the dual challenge of detecting illicit access and addressing a workforce where a non‑trivial minority view credential sale as justifiable.
  • Senior managers, directors, C‑suite executives and business owners: The survey shows elevated tolerance for credential sale among senior ranks. That disparity between leadership attitudes and security expectations could hamper internal controls and counter‑fraud training if not explicitly addressed by governance and ethics programs.
  • FTSE100 IT teams and network defenders: With Socura/Flare and KELA reporting hundreds of thousands to hundreds of millions of compromised credentials in circulation, defenders will confront credential exposure at scale — a threat environment in which perimeter controls are insufficient unless complemented by credential hygiene, detection and mitigation strategies.

The facts in these reports converge on a stark point: credentials are currency in today’s cybercrime economy, and they move by many routes — sale, theft, infection. The Cifas survey adds an uncomfortable human dimension: a significant minority of employees in large firms either trade logins or consider doing so acceptable. That combination of market supply and permissive attitudes changes the problem from one of pure technology to one of culture, incentives and oversight — and it leaves organizations with a clear, practical question they have yet to answer at scale: if many logins can be bought, who will be left to protect the accounts that matter?

Source: Infosecurity Magazine — One in Eight Workers Has Sold Their Corporate Logins