The exposure of public utilities' security practices were particularly concerning, because hackers could conceivably gain control of parts of the electrical grid or dams. Recorded Future research highlighted "multiple public utilities with webmail logon pages easily discovered with Google searches."
More from NBC News:
Disease wars: Why US Ebola fight should shift to Africa
From cleaner to president: 'King Cobra' dead at 77
Rape-spree subject busted after cross-country manhunt
Most of the exposures occurred through third-party websites. Employees often registered on the sites using their work email accounts to engage in seemingly innocuous activities such as posting commentary on blogs, reviewing hotels or restaurants or participating on hobbyist websites, it said.
Many of these smaller sites lack sophisticated security and are susceptible to hackers, said Scott Donnelly, who conducted the analysis for Recorded Future. While most such sites encrypt or "hash" passwords to avoid revealing them in plain text, such protections are often easily overwhelmed using modern hacking tools that are "open-source and readily available," he said.
"At that point it becomes a coin flip … whether or not that's a valid log-on for that company account as well," Donnelly told NBC News, referring to numerous studies showing that computer users frequently reuse passwords so they can remember them.
Compounding the problem is the fact that security breaches on smaller sites are rarely reported to authorities, meaning that the employees and corporate IT managers are often unaware that the information has been exposed, said Christopher Ahlberg, Recorded Future's founder and CEO.
Read MoreNearly 19M Californians' data at risk: Report
"You're not going to see a CNET.com story if it's a neighborhood 5k run that gets hacked," he said.
The report did not attempt to quantify how often stolen credentials were used to launch cyberattacks against the Fortune 500 companies. But it cited a recent claim by hackers who said they stole 7 million user names and passwords from the popular cloud storage service Dropbox as following the credential-theft model. "Attackers … used these stolen credentials to try to log into sites across the Internet, including Dropbox," it said.
Dropbox has denied it was the source of the data breach, blaming unidentified third-party services.