Compromised Credential

Table of Contents

Share this glossary:

Compromised credentials are when your login details have been stolen or accessed by unauthorized parties. Typically, compromised credentials include usernames, passwords, security questions, and other sensitive details used to verify a user’s identity and gain access to accounts and systems.

The risks associated with compromised credentials are severe. Login credentials may be misused to impersonate legitimate users, gain unauthorized access to sensitive data and accounts, use them for lateral movement attacks, install malware, steal funds, and more. Compromised credentials are one of the most common attack vectors in data breaches.

Common Causes of Compromised Credentials

There are a few common ways credentials become compromised:

  • Phishing attacks: Phishing emails containing malicious links or attachments are used to trick users into entering their login details on spoofed sites that capture their information.
  • Keylogging malware: Malware installed on a user’s device tracks and records the keys pressed, capturing usernames, passwords, and other sensitive data.
  • Data breaches: When a service is breached, user credentials and other personal information are often compromised and stolen. Attackers will then use the stolen credentials to access other accounts and systems.
  • Reusing passwords: When a user uses the same password across many of their accounts, and  a breach occurs where this user’s credentials were compromised it can result in  any one all other accounts using that password are also compromised.
  • Social engineering: Skilled social engineers manipulate human psychology to convince targets to share sensitive login credentials either in person, over the phone, or online.

In summary, compromised credentials pose a severe threat and proactive measures should be taken by both individuals and organizations to prevent and mitigate the risks associated with stolen login details. With compromised credentials, unauthorized access is often just a login away.

How Credentials Get Compromised

Credentials are stolen or compromised in several common ways:

  • Phishing attacks: Phishing emails trick users into entering their login credentials on spoofed websites. The credentials are then stolen. Phishing is one of the leading causes of compromised credentials.
  • Data breaches: When companies experience data breaches that expose customer data, login credentials are frequently stolen. The credentials can then be sold on the dark web and used to access other accounts.
  • Weak passwords: Easy-to-guess or reused passwords make accounts an easy target. Once a password has been compromised on one site, attackers will try using the same password on other popular websites.
  • Keylogging malware: Malware like keyloggers can be used to steal keystrokes and capture login credentials. The stolen data is then transmitted back to the attackers.
  • Social engineering: Skilled social engineers manipulate human psychology to convince targets to share sensitive login credentials either in person, over the phone, or digitally.

Some well-known examples of compromised credentials include:

  • RockYou2024 Breach: This incident involved the leakage of a staggering 10 billion credentials, making it one of the largest password dumps in history. Although the sheer volume of data is alarming, experts have pointed out that much of the data might not be immediately useful for attackers due to the presence of outdated or irrelevant information. However, the breach serves as a stark reminder of the dangers of password reuse and the necessity for strong authentication practices, including multi factor authentication (Daily Security Review).
  • Microsoft Executive Accounts Breach: Early in 2024, a Russia-aligned threat actor managed to breach Microsoft’s corporate email accounts, including those of senior leadership and cybersecurity teams. This breach was facilitated by exploiting a legacy account that lacked multifactor authentication. The attackers were able to exfiltrate sensitive email communications between Microsoft and various U.S. federal agencies (CRN).
  • Okta Data Breach: In October 2023, Okta, a leading identity services provider, disclosed that a threat actor had accessed its customer support system using stolen credentials. The attack allowed unauthorized access to customer support cases, underlining the risks associated with compromised credentials even in systems designed to manage and secure user identities
  • In 2019, DNA testing company 23andMe announced that some customer data, including login info, had been accessed due to a security breach.
  • In 2018, Nintendo’s Nintendo Network suffered a breach that compromised over 300,000 accounts. Login credentials were stolen and used to make fraudulent purchases.
  • In 2016, a data breach at PayPal exposed over 1.6 million customer records, including login credentials, names, email addresses, and more.

Compromised credentials are a serious threat and protecting accounts requires vigilance around phishing, strong unique passwords, multi-factor authentication and monitoring accounts regularly for signs of fraud. With care and awareness, the risks can be reduced.

The Dangers of Compromised Credentials

Compromised credentials pose serious risks to organizations and individuals. Once login credentials have been stolen, attackers can access sensitive data and systems, enabling a range of malicious activity.

According to Verizon’s 2020 Data Breach Investigations Report, over 80% of hacking-related breaches leveraged stolen and/or weak passwords. The impacts of these credential-based attacks include:

  • Data breaches: With access to accounts and systems, attackers can steal confidential data like customer information, employee records, and intellectual property, using credential stuffing attacks.
  • Financial loss: Malicious actors may transfer funds, make unauthorized purchases, or commit payment fraud using stolen account access.
  • Reputational harm: Data breaches and account takeovers can damage customer trust and brand reputation.
  • Account takeover: Attackers can hijack online accounts for spam, fraud, and other malicious activities. Compromised social media accounts are commonly abused to spread malware and misinformation.

While individuals should use unique, complex passwords and enable multi-factor authentication whenever possible, organizations must also implement strong access policies and security controls. Frequent password changes, account monitoring, and employee education can help reduce the risks associated with compromised credentials.

Detecting Compromised Credentials

To detect compromised credentials, organizations employ User Entity and Behavioral Analytics (UEBA) systems which monitor user activity and behaviors to identify anomalies.

UEBA solutions analyze log data from multiple sources like network devices, operating systems, and applications to create a baseline of normal user activity. Any deviations from established patterns can indicate compromised credentials or accounts.

Security Information and Event Management (SIEM) platforms also aid in detecting compromised credentials by aggregating and analyzing security logs from various systems across the organization. SIEM tools use log correlation and analytics to identify suspicious login attempts, location changes, and privilege escalations which can point to compromised accounts.

Continuous monitoring of user accounts and authentication events is crucial for early detection of compromised credentials.

Adaptive and risk-based authentication methods provide additional layers of security that help identify unauthorized access. Requiring multi-factor authentication, especially for privileged accounts, makes it more difficult for attackers to exploit compromised passwords. Monitoring for excessive failed login attempts, signs of brute force attacks, and other credential stuffing campaigns also helps to detect compromised accounts before they are misused.

Preventing Compromised Credential Attacks

To prevent compromised credential attacks, organizations should implement stringent security policies and controls.

Multi-factor authentication (MFA) adds an extra layer of protection for user accounts, non-human-identities and systems. Requiring factors like one-time passwords, security keys or biometrics in addition to passwords makes accounts more difficult to compromise.

Disallowing previously exposed passwords prevents users from selecting passwords already known to attackers. Using blacklists of compromised passwords, organizations can block employees from choosing easily guessed or reused passwords.

Continuous monitoring for exposed credentials on the dark web and password cracking enables swift response. Monitoring password dumps and breach data allows security teams to identify compromised accounts, force password resets and enable MFA.

Conducting regular phishing simulations and security awareness training helps educate employees on recognizing and avoiding phishing emails and malicious websites aimed at stealing login credentials. Explaining the risks of oversharing on social media and reusing passwords across accounts builds good security habits and a culture of vigilance.

Using CAPTCHAs, or automated tests that humans can pass but computers cannot, adds an extra layer of authentication for logins and account access. CAPTCHAs prevent automated bots and scripts from attempting to access systems using stolen credential sets obtained from data breaches.

Enacting and enforcing strong password policies that require lengthy, complex passwords changed frequently is one of the best ways to make compromised credentials more difficult to obtain and use.

Mitigation Strategies for Compromised Credentials

Once compromised credentials have been identified, there are several mitigation strategies that can be employed to reduce risk.

Password Reset

The most effective way to mitigate compromised credentials is to immediately reset user passwords. Resetting passwords for affected accounts prevents attackers from accessing systems and data using stolen login information.

Enable Multi-Factor Authentication

Enabling MFA adds an extra layer of protection for user accounts. MFA requires not only a password but also another method of authentication like a security code sent to the user’s mobile device. Even if an attacker obtains a user’s password, they would also need to verify their identity to the user’s mobile phone to log in.

Monitor Accounts for Suspicious Activity

Closely monitoring compromised accounts for signs of suspicious logins or activity can help detect unauthorized access. Security teams should check account login times, locations, and IP addresses for anomalies that could indicate an attacker is using stolen credentials to access the account. Detecting unauthorized access quickly can help limit the damage from compromised credentials.

Provide Additional Training

Compromised credentials are often the result of weak or reused passwords, phishing, or other social engineering attacks. Providing regular security awareness and education training helps educate users on password best practices, phishing identification, and other topics to help reduce the risk of compromise. Additional training and simulated phishing campaigns have been shown to significantly improve security posture over time.