In the less visible corners of the Internet, site management credentials have become merchandise. Access to hosting panels such as cPanel - the interface that millions of sites use to manage domains, emails, databases and certificates - are no longer just a door for defacement or spam: they are a product packaged, valued and sold in quantity within clandestine markets.
That a malicious actor has cPanel credentials means almost total control over a site and, in many cases, over dozens of shared domains in the same infrastructure. This control allows from uploading web shells and back doors to stay on the server, to creating SMTP accounts to send legitimate phishing from a reliable domain, stealing sensitive database data or even climbing privileges to take the root of the system. Gravity is multiplied when we talk about shared hosting environments: a single compromised access can be the entry key to multiple third-party pages.
The dimension of the phenomenon is seen in public data: search in engines that indexe devices exposed as Shodan show that there are millions of servers with Internet-accessible control panels. Recent investigations that monitor clandestine channels, such as those made by security firms and reported on specialized blogs, have detected hundreds of thousands of ads that offer compromised access, many of them replicated in a massive way to reach potential buyers.
The market has evolved towards an industrialized model: the accesses are described with commercial attributes ("clean for shipping," "high reputation," "active SMTP"), are segmented by quality and geolocation, and are sold in lots with volume discounts. Automation has made it easier for botnets and scraping tools to detect exposed panels, exploit weak passwords through brute force attacks or re-use of credentials, and for distribution networks to multiply ads in messaging groups.
The entry routes to these panels are not a technical mystery: the re-use of passwords after public leaks, phishing to capture credentials, automated attacks on access portals and the exploitation of outdated websites on the same server remain the main routes. In addition, negligent configurations - exposed configuration files, lack of multifactor authentication or too laxative permissions - continue to facilitate intrusion. When an attacker commits an outdated web, he can pivote, extract saved keys (for example from wp-config.php files) and climb to take control of the hosting panel.
The consequences for companies and organizations range from loss of reputation by blocking domains and PIs to more severe operational impacts: content theft, file encryption and rescue demands, or use of legitimate domain for fraud campaigns that damage the confidence of customers and partners. What may seem like an isolated technical intrusion can become a business continuity crisis.
In view of this scenario, prevention is essential and combines technical measures with active monitoring. Forging unique and robust passwords, enabling multifactor authentication on all control panels, and restricting administrative access by IP range significantly reduce the probability of initial intrusion. It is equally important to keep CMS, plugins and topics up to date, to deactivate unnecessary services and to apply the principle of less privilege to limit impact in case of commitment.
Early detection also makes a difference. Permanent monitoring of SMTP outgoing traffic helps to detect mass shipments indicating abuse; monitoring of file integrity reveals unauthorized modifications; and monitoring of changes in hosting accounts, unexpected cron tasks or new mail accounts may point to suspicious activities before major damage occurs. In addition, organizations with the capacity to monitor the underground market and stealer log records can receive alerts when their credentials appear for sale, which allows for preventive reaction.
The recommendations are not theoretical: institutions dedicated to public and private security promote these practices. For example, the cPanel team offers safety guides for hardening facilities ( CPanel security documentation), and organizations such as OWASP and CISA they publish resources and notices on how to protect accounts and systems from abuse of credentials and authentication measures.
The phenomenon of initial access brokers, who specialize in obtaining and reselling access as a raw material for other criminal operations, also deserves attention. Reports of incident response teams and intelligence providers show that this model transforms cybercrime: it is no longer necessary to develop a very complicated operation for each campaign; it is enough to buy "reliable" access and deploy phishing, fraud or mass shipment from already committed infrastructure. To better understand this dynamic, you can see the analysis of initial access actors and underground markets carried out by threat intelligence companies. CrowdStrike.
The industrialization of credentials theft makes host accounts strategic assets for attackers. If the trend continues, we will see even more automation in the collection, classification and sale of these accesses, which will reduce the entry to the criminal ecosystem and increase the availability of "ready to use" infrastructure in phishing and fraud campaigns.
In short, defending the digital perimeter is no longer just closing ports or patching servers: it requires protecting management keys (users and passwords), hearing legitimate activity against malicious use and being attentive to external signals - such as the emergence of credentials in clandestine markets - that anticipate an attack. For those who manage websites, the task is clear: implementing basic security measures today avoids incidents that, tomorrow, can cost much more than the time spent on protecting them.
To expand information and follow research on this phenomenon, the firm that has monitored clandestine channels publishes analyses and findings on its blog ( Flare - analysis of messaging channels), while technical resources and practical guides are available on the pages of cPanel, OWASP and CISA.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...