13% OF UK EMPLOYEES HAVE SOLD CORPORATE CREDENTIALS

More than one in eight UK employees has sold their corporate login credentials over the past year, either personally or through someone they know, according to a new report from Cifas. The finding is stark on its own. What makes it worse is who is most willing to justify the practice.

Among C-suite executives surveyed, 43% said selling credentials was justifiable. The percentage climbs as you move up the org chart: 36% of directors, 32% of senior managers, and a striking 81% of business owners. The report, based on responses from 2,000 UK employees at companies with more than 1,000 staff, suggests the problem is concentrated in the people who should have the most reason to protect the organization.

THE SCALE IS MASSIVE

The credential market is not theoretical. KELA, a threat intelligence firm, identified 347 million compromised credentials sitting on 3.9 million machines infected with stealer malware. Globally, researchers tracked roughly 2.9 billion compromised credentials in 2025. Those numbers represent real access points into real organizations, and the UK's workforce is contributing to the supply.

A separate study by Socura and Flare found 460,000 compromised credentials belonging to employees at FTSE 100 firms circulating on cybercrime sites. The researchers pulled 28,000 corporate credentials from stealer logs, averaging 280 compromised credentials per FTSE 100 company. These are not outside hackers brute-forcing their way in. These are logins that belonged to people inside the building, now being sold or leaked.

THE COST OF IT ALL

Insider risks cost global organizations an average of $19.5 million per business, whether from negligence or deliberate acts like sharing credentials. Malicious incidents account for 27% of the total lost to insider risks, translating to $4.7 million in damages. The numbers are large enough that the phenomenon is no longer a rounding error in corporate risk models. It is a line item.

Selling logins opens the door to serious fraud and financial harm. Once a credential is on the open market, it can be used for account takeover, lateral movement through corporate networks, data exfiltration, or direct theft. The buyer does not need to be technically sophisticated. The stolen login is the entry point.

IS IT CULTURAL FAILURE?

Rachael Tiffen, a specialist in workplace fraud trends at Cifas, said the findings expose a cultural gap that no amount of perimeter security can close. she said.

Her second point was direct:

The data suggests many organizations are failing at both. When nearly half of the C-suite sees nothing wrong with monetizing access, training programs are either not reaching them or not resonating. Either way, the organization is exposed.

WHAT THIS SAYS ABOUT TRUST

The report's most uncomfortable finding is the correlation between seniority and acceptability. It would be easy to assume junior employees, paid less and with less invested in the company's fate, would be the ones most likely to sell access. The data points the other direction. People with the most authority, the most access, and the highest compensation are the ones most willing to treat credentials as a personal asset rather than a fiduciary responsibility.

This is not a technology problem. It is a governance problem wearing a technology costume. The credentials are the mechanism, but the failure is in the culture that treats access as property rather than trust. Every organization can patch its software. Patching a culture where executives think selling access is acceptable is a harder, longer project.

WHAT DO ORGANISATIONS DO

The starting point is acknowledging the problem exists inside the building, not just outside it. Standard security hygiene, password rotation, MFA, access logging, matters, but it does not address the willingness to sell. That requires a combination of clearer consequences, real detection mechanisms for credential misuse, and a tone set from the top that selling access is not a gray area. It is a firing offense, regardless of title.

The report makes clear that the 13% who admitted selling or knowing a seller is likely a floor, not a ceiling. The real number may be higher. The only thing stopping a more accurate count is the difficulty of detecting a transaction that happens entirely between two willing parties, neither of whom has an incentive to report it.