by peter


Compromised Credentials Explained


Risk Rating: MEDIUM
Likelihood: 3/5
Impact: 3/5


  • Password Resuse
  • Failure to monitor for third party breaches
  • Poor quality passwords
  • Short – less than 16 characters – password

Compromised Credentials Overview

Former internet giant Yahoo inevitably comes to mind when talk of compromised credentials come up. An attack in 2016 resulted in a serious breach of half a billion users’ personal information, including their dates of birth and telephone numbers. But it only gets better: Later that year, Yahoo announced that a breach in 2013 had compromised 1 billion accounts (eventually revealed to be 3 billion), along with their passwords, unencrypted security questions and answers. Unsurprisingly, Yahoo’s sale price went down about $350 million shortly after.

Compromised Credentials are very common and highly available on the web. Our offensive security team have access to 6TB of clear text passwords and associated user ID’s.

What you need to know about compromised credentials

Most people still use single-factor authentication to identify themselves (a pretty big no-no in the cybersecurity space). And while stricter password requirements are starting to be enforced (like character length, a combination of symbols and numbers, and renewal intervals), end users still repeat credentials across accounts, platforms and applications, failing to update them periodically. This type of approach makes it easier for adversaries to access a user’s account, and a number of today’s breaches are thanks to these credential harvesting campaigns.

Detecting compromised accounts is straight forward enough. Does your SOC monitor breach reports for recent breach disclosures? Does your SOC track failed logins followed by a successful login?

Defending against compromised credentials should be fairly simple. A good password policy along with sensible user awareness training will go a long way to ensuring credentials will not get compromised. Of course, two factor authentication is a great solution too.

How compromised credentials attack happens

A password, key or other identifier that’s been discovered and can be used by a threat actor to gain unauthorized access to information and resources, and can range from a single account to an entire database.

By leveraging a trusted account within a targeted organization, a threat actor can operate undetected and exfiltrate sensitive data sets without raising any red flags. Common methods for harvesting credentials include the use of password sniffers, phishing campaigns or malware attacks

Attack Sources

Compromised credentials represent a huge attack vector, giving threat actors a way into computing devices, password protected accounts and an organization’s network infrastructure with relative ease. These perpetrators are often organized, with their sights set on a specific organization or person. And they’re not always outside of the organization — they could very well be an insider threat who has some level of legitimate access to the company’s systems and data.