Leaked Credentials

What are leaked credentials?

Leaked credentials are usernames, passwords, and other authentication details that have been exposed to unauthorized parties.

This typically happens when malicious users hack into websites, databases, or systems. They then leak or sell the stolen information. These credentials can include:

• Usernames and Passwords: The most common type of leaked credentials, used to access accounts on websites and services.
• Session Tokens: These can be used to bypass multi-factor authentication (MFA) to gain unauthorized access to an application.
• Security Questions and Answers: Used for account recovery processes.
• API Keys and Access Tokens: For accessing applications and services programmatically.

When credentials are leaked, they are often shared on the dark web or other underground platforms. They are then used for identity theft, account takeovers, and fraud.

Why are leaked credentials an ongoing problem?

Leaked credentials provide a steady supply of usernames and passwords for cybercriminals to exploit.

InfoStealer malware is the primary source of leaked credentials that are exploited today.

Having said that, third-party breaches contribute significantly to the problem as well.

Many people reuse the same password across multiple accounts.

This makes it significantly easier for attackers to access multiple services once a single set of credentials is leaked.

These credentials are often sold or shared on the dark web, giving attackers an almost endless supply of accounts to exploit.

Additionally, without ongoing monitoring, many organizations lack visibility into these credentials.

This significantly increases the amount of time criminals can exploit them.

For example, according to IBM, breaches involving stolen or compromised credentials took, on average, 292 days to identify and contain.

How do credentials get leaked?

There are a number of methods criminals use to gain access to credentials. Here are some of the common ways:

1. Malware and Keyloggers: Malicious software, like InfoStealers, is installed on a user’s device to steal credentials directly. This often happens without the user’s knowledge. Keyloggers are another common method used to record keystrokes, capturing usernames and passwords as they are typed.
2. Data Breaches: Cybercriminals exploit vulnerabilities in a company’s systems to gain unauthorized access to databases containing user credentials. For example, SQL Injection can be used to gain access to an application’s underlying database. Once they have access, attackers can execute arbitrary commands or extract usernames and passwords.
3. Phishing Attacks: Attackers send emails that appear to be from legitimate sources to trick users into entering their credentials on fake websites. Targeted attacks, also known as Spear Phishing, against specific individuals or organizations use personalized information to make the phishing attempt more convincing.
4. Social Engineering: Attackers use pretexting to create a false scenario to manipulate their targets into sharing confidential information, including credentials. Impersonation attacks are another common method used. Here attackers pretend to be a trusted entity, like IT support, to trick users into revealing their login details.
5. Credential Stuffing: Attackers use automated tools to test large volumes of username-password pairs (often obtained from previous breaches) across various websites to find accounts where users have reused passwords.
6. Insider Threats: Current or former disgruntled employees with access to sensitive information are often referred to as inside threats. The risk is that they may leak credentials deliberately. Employees might also accidently expose credentials by mishandling sensitive information or falling for a phishing scam.
7. Exposed Databases and Misconfigurations: Misconfigured databases left exposed on the internet can allow unauthorized access to stored credentials. Incorrectly configured cloud storage solutions may also unintentionally expose sensitive data.
8. Reuse of Compromised Passwords: People often reuse the same password across multiple accounts. If one account is compromised, the credentials can be used to access other accounts as well.

What do hackers do with stolen credentials?

Here are some common uses for stolen credentials:

• Account Takeover: Hackers use stolen credentials to log into victims’ accounts. This gives them unauthorized access to personal information, financial details, and other sensitive data.
• Identity Theft: Attackers can impersonate their victim, making fraudulent transactions or engaging in malicious activities under their identity.
• Credential Stuffing: Attackers use automated tools to try stolen username-password pairs across multiple sites. This specifically focuses on exploiting users who reuse passwords to access additional accounts.
• Financial Fraud: Stolen credentials can be used to access and drain funds from bank accounts or make unauthorized purchases with credit cards.
• Loan and Credit Applications: Hackers may use stolen identities to apply for loans or credit cards, leaving victims with the debt.
• Dark Web Markets: Stolen credentials are often sold on the dark web to other cybercriminals who can use them for further exploitation.
• Bundles and Lists: Credentials are frequently packaged into combo lists, making them easier to sell and more valuable to buyers.
• Phishing and Social Engineering: Access to email accounts can be used to send phishing emails from legitimate accounts, increasing the likelihood of success in future attacks.
• Targeted Attacks: Personal information obtained from accounts can be used to write convincing phishing or social engineering attacks against individuals or organizations.
• Deploy Ransomware: Hackers use stolen credentials to gain access to systems and deploy ransomware, encrypting files and demanding payment for decryption keys.
• Espionage: In some cases, attackers use access to sensitive systems for corporate or government espionage, stealing confidential information.
• Government Surveillance: State-sponsored attackers may use stolen credentials for espionage purposes, accessing sensitive government or defense systems.
• Data Exfiltration and Resale: Attackers exfiltrate sensitive data, such as trade secrets or intellectual property, and sell it to competitors or other interested parties.
• Business Email Compromise (BEC): Hackers can takeover email accounts to impersonate company executives or vendors. The spoofed emails are used to trick businesses into making unauthorized wire transfers or paying fake invoices.

What should I do if my credentials have been leaked?

It’s important to mitigate the potential damage from leaked credentials as quick as possible. Here’s a step-by-step guide:

1. Immediately Reset Compromised Passwords: Identify and reset passwords for all affected accounts within the organization. Ensure the new passwords are strong and unique. Consider mandating the use of a password manager to generate and store strong, unique passwords for all employee accounts.
2. Enable Multi-Factor Authentication (MFA) Across All Accounts: Implement MFA for all employee accounts to add an extra layer of security. This helps protect accounts even if credentials are compromised.
3. Conduct a Security Audit: Investigate the source of the leak to determine how credentials were exposed and whether other vulnerabilities exist. Analyze access logs to identify any unauthorized access or suspicious activity on affected systems.
4. Monitor for Unusual Activity: Set up real-time monitoring for all critical systems to detect anomalies or unauthorized access attempts. Have an incident response plan in place to be able to respond effectively when a crises happens.
5. Communicate with Affected Parties: Notify employees about the breach and provide guidance on how to protect their accounts. If relevant, communicate with partners, clients, or stakeholders who may be affected by the breach.
6. Consider Professional Security Services: Engage with external cybersecurity experts to conduct a security assessment and / or penetration testing to identify and address vulnerabilities.
7. Dark Web Monitoring: Leverage dark web monitoring services, like Breachsense, to alert your organization when its credentials or sensitive information are found on underground markets. This enables your security team to reset credentials before they’re exploited.