In short: Analysts at Solar AURA found that an average large Russian company has more than 600 leaked corporate accounts circulating in open and dark-web sources — and over 60% of them come with the password in plaintext. Yet only 4% show signs of a direct network breach. The real culprit is mundane: employees reusing work email and passwords on outside sites. The same habit is what puts your personal accounts at risk too.
What happened
On 15 July 2026 the external-threat monitoring centre Solar AURA (part of the Solar group) published a study of leaked corporate credentials belonging to the ten largest Russian companies in the RBC500 rating. Analysts sifted through 19,300 lines tied to corporate domains and logins found in open and shadow sources, isolating 6,194 unique corporate accounts. Averaged out, that is more than 600 leaked work accounts per company — and in 3,739 of them (over 60%) the password was exposed in plaintext, ready to use. If you want to know whether your own logins are already out there, start with our guide on how to check for a data leak.
Where the leaks actually come from
The most striking finding is what did not happen. Only about 4% of the accounts showed signs of a direct compromise of the company's own infrastructure. The overwhelming majority leaked because employees used their corporate email addresses and passwords to register on external resources — marketplaces, forums, training platforms and SaaS tools. When one of those third-party services is breached, the work credentials spill out with it. Solar AURA also logged more than 12,600 lines containing employees' personal-data components, which makes the leaked records even more useful for attackers.
Why this matters for ordinary users
Swap "corporate account" for "your account" and the lesson is identical. Most people reuse a handful of passwords across dozens of services. The moment any one of those services is breached, that email-and-password pair joins a combo-list — and attackers run it automatically against banking apps, mail, marketplaces and social networks. This technique, credential stuffing, does not require hacking you at all; it simply tries a password you already leaked somewhere else. It is the same mechanism behind the billion-record infostealer leak we covered earlier. A plaintext password from a forum you forgot about can quietly unlock your most important accounts.
How to protect your logins
Never reuse passwords. A unique password for every service, stored in a password manager, means a single leak stays contained instead of cascading across your whole digital life.
Turn on two-factor authentication. Even a leaked plaintext password is far less useful if logging in still requires a second factor. Solar AURA's own advice to companies — monitor leaks, enable multi-factor authentication and quickly block compromised accounts — applies just as well to individuals.
Keep work and personal identities separate. Don't register on random sites with an address you use for anything sensitive, and treat every "log in with your email" prompt on an unfamiliar service as a risk.
Encrypt your connection on untrusted networks. A VPN won't fix a company's leaked database, but it protects your side of the wire: on public or shared Wi-Fi it routes your traffic through an encrypted tunnel, so no one on the same network can intercept the logins and session cookies you send to banking, mail or work portals. LiMP VPN is a no-logs service for iOS and Android — see the features and plans, and more privacy news on our blog.
Sources
This report is based on the Solar AURA study as published by Anti-Malware.ru and CNews, July 2026.
