Understanding compromised credentials
Credential compromise is the cause of most data breaches. The scale of compromised credential attacks makes identity one of the broadest and most dangerous attack surfaces.
Because credentials are used to access most systems and software applications, threat actors prioritize credential compromise. Once a cybercriminal has gained access using compromised credentials, they can then conduct any number of malicious activities, including stealing sensitive personal or corporate information, installing ransomware or malware, taking over accounts, and executing advanced persistent threats.
Definition and meaning of compromised credentials
Compromised credentials are user login details (e.g., username, password, personal identification, and security questions) that have been stolen with the intent of using them to gain unauthorized access to networks, applications, assets, or accounts. Once acquired, compromised credentials often lead to the exposure and loss of sensitive data, financial loss, and severe reputational damage.
Indicators of compromised credentials
While defense is the ideal strategy, organizations do face the issue of compromised credentials. Early detection is critical to minimize the impact.
The following are common indicators of compromised passwords that suggest credentials may have been stolen or exposed.
Account lockouts or password resets
Account lockouts or unexpected password resets are strong indicators of compromised credentials. Threat actors often trigger lockouts when attempting brute force or password-spraying attacks due to multiple failed login attempts.
Alternatively, threat actors might reset passwords to gain exclusive access and lock out legitimate users. Users should keep an eye out for password reset notifications that they did not initiate.
Increased login attempts on multiple services
Increased login attempts on multiple services are often an indicator of credential stuffing or reuse attacks where attackers use compromised credentials from one breach to try accessing other platforms (e.g., stealing credentials from an online shopping site and then using those to attempt to access banking systems).
Logins from new devices or new locations
Login notifications from new devices or unfamiliar locations are potential signs of credential compromise. Attackers often use virtual private networks (VPNs) or unfamiliar devices to mask their identity and location. If users receive such alerts without recognizing the activity, it could indicate compromised credentials.
Multiple accounts accessed by the same device or IP
Multiple accounts accessed from the same device or internet protocol (IP) address can indicate credential compromise, especially if the behavior is inconsistent with normal user behavior. While this could simply be the case of multiple users sharing devices, it is often a case of attackers not spoofing or masking their devices when logging into different accounts.
Notifications from external breach monitoring services
Notifications from external breach monitoring services are likely indicators of compromised credentials. These third-party security services provide alerts when credentials are compromised in a data breach.
Security alerts or suspicious activity reports
Although security alerts or suspicious activity reports deliver false positives, these systems are increasingly leveraging artificial intelligence (AI) and machine learning to deliver highly accurate results. These notifications flag failed login attempts, unusual login patterns, access from unfamiliar devices or IPs, and/or modifications to account settings and should be considered credible indicators of compromised credentials.
Spam or phishing emails from users’ accounts
When spam and phishing emails are sent from email accounts, it is more than likely that the users’ credentials have been compromised. Attackers use compromised accounts to message others in an organization or the users’ contacts and trick them into opening malicious links or attachments that appear to be coming from a “trusted” sender.
Suspicious VPN proxies
Suspicious VPN proxies can indicate potential credential compromise, as attackers often use these tools to mask their IP addresses and locations. Unusual login attempts from unknown VPN services, especially from unfamiliar regions or devices, can signal unauthorized access.
Unexplained changes to account settings
Account changes to account settings, such as modified recovery emails, security questions, or password reset options that a user did not initiate are strong indicators of credential compromise. Although these could have been initiated at an administrative level, they are more likely the work of an attacker seeking to take over an account.
Use of emulators and virtual machines
The use of emulators or virtual machines (VMs) can indicate compromised credentials, as threat actors leverage these tools to bypass security measures or mimic legitimate environments. Emulators allow them to evade device fingerprinting and multi-factor authentication restrictions, while VMs help conduct reconnaissance or lateral movement and test credentials without detection.
How credentials get compromised
Attackers employ a variety of tactics to compromise credentials or gain access to compromised credentials. Several commonly used approaches to exploit this attack vector include:
- Brute force attacks use automatically generated passwords and trial-and-error to attempt to guess credentials.
- Credential stuffing takes advantage of the same credentials being used across multiple systems, and attackers try known credentials on multiple systems.
- Dark web markets sell cracked or leaked passwords.
- Insider threats result from malicious misuse of authorized privileges to steal credentials.
- Malware, such as keyloggers and spyware, captures credentials without the organization’s knowledge.
- Phishing campaigns trick users into sharing their credentials.
Real-world incidents related to compromised credentials
The following are real-world examples of attacks that leveraged compromised credentials. Although they span a couple of decades, these examples demonstrate how these credential compromise attacks occur and the damage that they can do.
23andMe—2023
Millions of 23andMe customers’ information was stolen in a credential-stuffing attack. Personally identifiable information (PII), including names, genders, profile photos, birth dates, addresses, and genetic results were stolen.
23andMe believes that the credentials used in the compromise were gathered from another attack that harvested credentials from other online platforms. The credentials that enabled the attack were recycled (i.e., the same credentials were used across multiple platforms).
Canva Data Breach—2019
Attackers used compromised credentials to access Canva’s user database and exfiltrate data for 139 million users, including usernames, email addresses, and hashed passwords. Although passwords were hashed, the data breach exposed Canva users to phishing and credential stuffing risks. Canva believes that the attackers likely obtained credentials from third-party breach dumps or recycled passwords from other compromised services.
Colonial Pipeline—2021
A ransomware group encrypted critical systems, forcing the shutdown of the pipeline that supplies fuel to much of the U.S. East Coast. Colonial Pipeline paid $4.4 million in ransom to restore operations. It is believed that the attackers used VPN recycled credentials that were stolen in a previous data breach.
LinkedIn—2012
Passwords for 6.5 million LinkedIn users were leaked online, forcing the company to initiate password resets for affected users. Many users who reused these passwords on other platforms were later compromised in subsequent credential-stuffing attacks.
Marriott International—2018
Compromised credentials were used to access Marriott’s Starwood guest reservation system. PII and sensitive information for hundreds of millions of customers, including names, credit card information, and passport numbers, were exposed.
The attacker used Marriott employees’ credentials, which were obtained through a combination of phishing and credential stuffing. Marriott faced regulatory fines and lawsuits due to the breach.
Nintendo—2020
A compromised credential attack on Nintendo resulted in the theft of billing and account information, including credit card type, expiration date, the first six digits, and the last four digits of credit cards, from more than 300,000 user accounts. This was a credential-stuffing attack that used previously leaked credentials from other breaches to access Nintendo Network IDs (NNIDs). As a result of the data breach, unauthorized purchases were made.
RSA SecurID—2011
Attackers compromised employee credentials through phishing emails and gained access to RSA’s SecurID tokens, a widely used two-factor authentication system. RSA spent millions replacing compromised tokens and restoring trust in their security products.
Twitter—2020
Using social engineering tactics, attackers stole employee credentials and gained access to Twitter’s internal tools. With this access, the attackers hijacked the accounts of a number of celebrities, including Elon Musk, Barack Obama, and Jeff Bezos, as well as posted fake cryptocurrency giveaways. This compromised credential attack caused widespread chaos and damaged Twitter’s reputation.
Uber—2022
When a contractor’s credentials were compromised, attackers were able to gain access to internal systems, including Slack, Amazon Web Services (AWS), and Google Workspace. This compromised credential attack resulted in a major internal system shutdown and the exposure of sensitive employee and internal financial data. This attack used a multi-factor authentication fatigue attack, bombarding the contractor with MFA push notifications until they accidentally approved one, granting access to Uber’s systems.
Tools and techniques for detecting compromised credentials
The most effective way to detect compromised credentials is by taking a multi-layered approach. Using a combination of tools, organizations can minimize the risk. Among the many solutions that can blended to prevent compromised credentials are the following.
Breach monitoring and dark web scanning tools
These tools monitor dark web forums, data dumps, and underground marketplaces for exposed credentials. Organizations can use these notifications to help remediate compromised credentials.
Endpoint detection and response (EDR) tools
Using EDR tools, endpoints can be continuously monitored for unusual processes and credential misuse. EDR tools can identify credential theft attempts by detecting malware, such as spyware and keyloggers.
Identity and access management (IAM) tools
IAM tools can be used to monitor login behavior, detect anomalies, and enforce access control policies. Additionally, some IAM tools can dynamically adjust authentication requirements based on login risk.
Multi-factor authentication bypass detection tools
These tools enforce MFA protocols and identify attempts to bypass the system or fatigue users. Capabilities of MFA bypass detection tools include blocking repeated MFA requests and monitoring for stolen or reused session tokens.
Network traffic monitoring and anomaly detection tools
Credential-based attacks can be detected using network monitoring and anomaly detection tools. These tools enable continuous network analysis and track login traffic to detect credential-based exploits such as brute force attacks and lateral movement.
Privileged access management (PAM) tools
PAM tools control and monitor privileged account access to prevent credential misuse. These tools can track privileged user activity to detect abuse and enable just-in-time access to limit over-privileging.
Security information and event management (SIEM) tools
SIEM tools aggregate and log data from multiple sources, such as applications, firewalls, and endpoints, to detect credential abuse and suspicious activity. If indicators of credential compromise are identified, these tools can trigger real-time alerts to enable swift containment and remediation.
Threat intelligence platforms
Threat intelligence tools gather and share information about known threats, including compromised credentials. By integrating threat intelligence feeds into security operations, these tools can detect compromised credentials.
User and entity behavior analytics (UEBA) tools
UEBA tools analyze users' and entities' behavior to detect suspicious activity that can indicate compromised credentials. These tools can identify activities such as lateral movement, unusual file access patterns, and unexpected data exfiltration attempts.
Best practices for preventing and defending against compromised credential attacks
In addition to leveraging the tools noted above, following operational best practices can also reduce the risk of compromised credentials. The following are several proven best practices for defending against compromised credential attacks:
- Conduct regular security audits
- Ban the use of previously compromised passwords
- Educate and train employees about security risks and how to avoid them
- Enforce the use of strong passwords
- Install all software and systems updates and security patches in a timely manner
- Require the use of multi-factor authentication (MFA)
- Use IP address blocklists
Additionally, a rapid response when compromised credentials are detected is imperative. Several immediate steps to take to contain the threat and reduce the potential damage include the following:
- Freeze the compromised account
- Revoke all sessions and require users to reauthenticate
- Change the compromised password immediately
- Ensure that password recovery emails and security questions have not been changed
- Disable suspicious email forwarding rules
- Force immediate password resets for compromised accounts
- Look for unrecognized logins or access attempts
- Inform the legitimate account owner
- Report the incident to the IT or security team
- Report the incident to relevant regulatory bodies as required by compliance requirements
- Notify law enforcement if the compromise involves significant financial loss or data theft
- Notify affected employees, customers, or partners if their data is at risk
- Enable or reinforce multi-factor authentication (MFA)
- Enforce strong password policies
- Run a full malware scan on the affected devices
Compromised credentials: a significant but defensible threat
Compromised credentials are expected to remain a persistent cyber threat. The reward of successfully harvesting credentials drives cybercriminals to prioritize this attack vector.
However, organizations can defend against these threats effectively. By taking advantage of the rich suite of security solutions and following best practices, the risk of compromised credentials can be mitigated.
