1.3 Million Windows RDP Logins Stolen and Sold on Dark Web


Remote Desktop Protocol (RDP) is one of the most widely used services to remotely control other systems.  However, when left open, the system is vulnerable to complete remote control to whomever decides to access it.  Essentially, it is like the hacker is sitting right in front of the mouse and keyboard controlling the system.  Now imagine the extent and potential impact 1.3 million windows RDP logins stolen and being sold on the dark web.


The Dark Web Marketplace

The actor behind the leak is known as Ultimate Anonymity Services, or UAS.  UAS is a very popular and the largest cyber-criminal marketplace known for its sale of sensitive information and various account credentials.  Malicious actors can access UAS and obtain information such as leaked social security numbers, SOCKS proxies, as well as RDP login information.  UAS prices generally range from $3 to $15 for RDP login credentials and even provides customer support and aid an attacker in keeping future access to the system they purchased RDP credentials to.


1.3 Million RDP Logins Leaked

Recently, UAS released stolen RDP credentials for 1.3 million (1,379,609 to be exact) active and previously compromised systems.  These credentials can access systems in countries all across the globe and also includes logins for government agencies and high profile organizations and businesses.

In an analysis of the login credentials here are some of the top discoveries:

Top 10 Login Names:

  1. Administrator
  2. Admin
  3. User
  4. Test
  5. Scanner
  6. Scan
  7. Guest
  9. User1
  10. Administrador


Top 10 Passwords:

  1. 123456
  2. 123
  3. P@ssw0rd
  4. 1234
  5. Password1
  6. 1
  7. Password
  8. 12345
  9. admin
  10. ffff-ffc0M456x


Top 10 Countries:

  1. United States
  2. China
  3. Brazil
  4. Germany
  5. India
  6. United Kingdom
  7. France
  8. Spain
  9. Canada
  10. Hong Kong


Check Your Status

If you use RDP in any of your systems, be sure to check out RDPwned.  This helpful tool allows users to check if your servers or RDP login credentials have been leaked.

Furthermore, as you can see by the detailed analysis of the leaked logins, the top usernames and passwords are either default or extremely common or simple.  Therefore, by changing the username and being sure to create an extremely strong password, by following these rules, you prevent potential brute-forcing of your RDP system.  RDP should always run behind a firewall and not externally exposed to the internet.  These simple steps greatly increase your chances of staying off of sites such as UAS.


RDP open to the wild is often found during a penetration test.  If you run Windows servers with RDP running, it is recommended to have these types of assessments at least once a year at minimum.