Leaked Credentials

 

What are leaked credentials?

Leaked credentials are usernames, passwords, and other authentication details that have been stolen or accidentally exposed to unauthorized parties.

This typically happens when cybercriminals hack into websites, databases, or systems and then release or sell the information online. These credentials can include:

  • Usernames and Passwords: The most common type of leaked credentials, used to access accounts on websites and services.
  • Session Tokens: These can be used to bypass multi-factor authentication (MFA) to gain unauthorized access to an application.
  • Security Questions and Answers: Used for account recovery processes.
  • API Keys and Access Tokens: For accessing applications and services programmatically.

When credentials are leaked, they are often shared on the dark web or other platforms, where they are used for malicious purposes, such as identity theft, account takeovers, and fraud.

Why are leaked credentials an ongoing problem?

Leaked credentials provide a steady supply of usernames and passwords for cybercriminals to exploit.

Many people reuse passwords across multiple accounts, making it significantly easier for attackers to access multiple services once a single set of credentials is leaked.

These credentials are often sold or shared on the dark web, giving attackers an almost endless supply of accounts to exploit.

Additionally, without ongoing monitoring, many organizations lack visibility into these credentials which increases the amount of time criminals can exploit them.

For example, according to IBM, breaches involving stolen or compromised credentials took, on average, 292 days to identify and contain.

How do credentials get leaked?

There are a number of methods criminals use to leak credentials. Here are some of the common ways:

1. Malware and Keyloggers

  • Malware: Malicious software, like InfoStealers, is installed on a user’s device to steal credentials directly, often without the user’s knowledge.
  • Keyloggers: This type of malware records keystrokes, capturing usernames and passwords as they are typed.

2. Data Breaches

  • Hacking: Cybercriminals exploit vulnerabilities in a company’s systems to gain unauthorized access to databases containing user credentials.
  • SQL Injection: Attackers insert malicious code into input fields to gain access to a website’s database, where they can extract usernames and passwords.

3. Phishing Attacks

  • Email Phishing: Attackers send emails that appear to be from legitimate sources to trick users into entering their credentials on fake websites.
  • Spear Phishing: Targeted attacks on specific individuals or organizations using personalized information to make the phishing attempt more convincing.

4. Social Engineering

  • Pretexting: Attackers create a false scenario to manipulate individuals into divulging confidential information, including credentials.
  • Impersonation: Cybercriminals pretend to be trusted entities, like IT support, to trick users into revealing their login details.

5. Credential Stuffing

  • Automated Attacks: Attackers use automated tools to test large volumes of username-password pairs (often obtained from previous breaches) across various websites to find accounts where users have reused passwords.

6. Insider Threats

  • Disgruntled Employees: Current or former employees with access to sensitive information may leak credentials deliberately.
  • Accidental Disclosure: Employees might unintentionally expose credentials by mishandling sensitive information or falling for phishing scams.

7. Exposed Databases and Misconfigurations

  • Open Databases: Misconfigured databases left exposed on the internet can allow unauthorized access to stored credentials.
  • Cloud Misconfigurations: Incorrectly configured cloud storage solutions may unintentionally expose sensitive data to the public.

8. Reuse of Compromised Passwords

  • Password Reuse: Users often reuse passwords across multiple accounts. If one account is compromised, the credentials can be used to access other accounts.

What do hackers do with stolen credentials?

Here are some common uses of stolen credentials:

1. Account Takeover

  • Unauthorized Access: Hackers use stolen credentials to log into victims’ accounts, gaining unauthorized access to personal information, financial details, and other sensitive data.
  • Identity Theft: Attackers may impersonate the victim, making fraudulent transactions or engaging in malicious activities under their identity.

2. Credential Stuffing

  • Automated Login Attempts: Cybercriminals use automated tools to try stolen username-password pairs across multiple sites, exploiting users who reuse passwords to access additional accounts.
  • Access to Multiple Accounts: Successful credential stuffing can lead to unauthorized access to various accounts, including banking, email, and social media.

3. Financial Fraud

  • Bank and Credit Card Accounts: Stolen credentials can be used to access and drain funds from bank accounts or make unauthorized purchases with credit cards.
  • Loan and Credit Applications: Hackers may use stolen identities to apply for loans or credit cards, leaving victims with the debt.

4. Selling on Dark Web

  • Dark Web Markets: Stolen credentials are often sold on the dark web to other cybercriminals who can use them for further exploitation.
  • Bundles and Lists: Credentials are frequently packaged into combo lists, making them easier to sell and more valuable to buyers.

5. Phishing and Social Engineering

  • Further Attacks: Access to email accounts can be used to send phishing emails from legitimate accounts, increasing the likelihood of success in future attacks.
  • Targeted Attacks: Personal information obtained from accounts can be used to write convincing phishing or social engineering attacks against individuals or organizations.

6. Ransomware Deployment

  • Access to Systems: Hackers can use stolen credentials to gain access to systems and deploy ransomware, encrypting files and demanding payment for decryption keys.
  • Espionage: In some cases, attackers use access to sensitive systems for corporate or government espionage, stealing confidential information.

7. Data Exfiltration and Resale

  • Sensitive Data Theft: Attackers may exfiltrate sensitive data, such as trade secrets or proprietary information, and sell it to competitors or other interested parties.
  • Intellectual Property Theft: Stolen credentials can provide access to valuable intellectual property, which can be sold or used to undermine a competitor.

8. Business Email Compromise (BEC)

  • Fraudulent Transactions: Hackers may impersonate executives or employees to trick businesses into making unauthorized wire transfers or paying fake invoices.
  • Vendor Impersonation: Attackers can impersonate vendors or suppliers, redirecting legitimate payments to their accounts.

9. Espionage and Surveillance

  • Corporate Espionage: Access to business accounts can be used to gather intelligence on competitors or steal proprietary information.
  • Government Surveillance: State-sponsored attackers may use stolen credentials for espionage purposes, accessing sensitive government or defense systems.

What should I do if my credentials have been leaked?

If your organization discovers that its credentials have been leaked, it’s important to mitigate the potential damage is quick as possible. Here’s a step-by-step guide for IT teams to respond to leaked company credentials:

1. Immediately Reset Compromised Passwords

  • Affected Accounts: Identify and reset passwords for all affected accounts within the organization. Ensure the new passwords are strong and unique.
  • Password Manager: Consider mandating the use of password managers to generate and store strong, unique passwords for all employee accounts.

2. Enable Multi-Factor Authentication (MFA) Across All Accounts

  • Mandatory MFA: Implement MFA for all employee accounts to add an extra layer of security. This helps protect accounts even if credentials are compromised.
  • Educate Employees: Train staff on how to use authentication apps and the importance of MFA in securing their accounts.

3. Conduct a Thorough Security Audit

  • Identify Breach Sources: Investigate the source of the leak to determine how credentials were exposed and whether other vulnerabilities exist.
  • Review Logs: Analyze access logs to identify any unauthorized access or suspicious activity on affected systems.

4. Monitor for Unusual Activity

  • Real-Time Monitoring: Set up real-time monitoring for all critical systems to detect unusual behavior or unauthorized access attempts.
  • Incident Response: Have an incident response plan in place to quickly address any security breaches or suspicious activity.

5. Communicate with Affected Parties

  • Notify Employees: Inform employees about the breach and provide guidance on how to protect their accounts.
  • Inform Partners and Clients: If necessary, communicate with partners, clients, or stakeholders who may be affected or at risk.

6. Consider Professional Security Services

  • Security Assessments: Engage with cybersecurity experts to conduct security assessments and penetration testing to identify and address vulnerabilities.
  • Dark Web Monitoring: Leverage dark web monitoring services, like Breachsense, to alert your organization when its credentials or sensitive information are found on underground markets.