by peter


Credential Dumping Explained


Risk Rating: MEDIUM
Likelihood: 2/5
Impact: 5/5


  • Failure to test and protect applications
  • Vulnerabilities in applications

Credential Dumping Overview

Disney+ signed up 10 million users and its stock hit a record high shortly after. But that shine quickly faded when many of those eager subscribers began complaining about being locked out of their accounts. Within days of the launch, Disney+ credentials were up for grabs for as little as $3.

Disney said the site wasn’t actually breached — allegedly, users who found their credentials online likely fell victim to a common (but notoriously bad) practice: using the same password across multiple sites that were later hit by a credential dumping attack.

What you need to know about credential dumping

Credential dumping simply refers to an attack that relies on gathering credentials from a targeted system. Even though the credentials may not be in plain text — they’re often hashed or encrypted — an attacker can still extract the data and crack it offline on their own systems. This is why the attack is referred toas “dumping.”

Often hackers will try to steal passwords from systems they have already compromised. Think about the aforementioned command and control attack and moving laterally through a network. But the problem becomes amplified when users replicate the same password across multiple accounts through multiple systems.

Identifying a credential dump can have its problems. A SOC that is monitoring correctly will see excessive data being exposed. A penetration test run well will identify where applications are exposing vast amounts of data. Regular Cyber Security Testing will be the key to ensuring your attack surface is minimized. A responsible disclosure program will help harness the power of the security swarm.

How a credential dumping attack happens

Credentials obtained this way usually include those of privileged users, which may provide access to more sensitive information and system operations. Hackers often target a variety of sources to extract the credentials, including accounts like the security accounts manager (SAM), local security authority (LSA), NTDS from domain controllers or the group policy preference (GPP) files. Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest.

Attack Sources

Credential dumping can originate from anywhere. And because we’re all guilty of recycling passwords, the passwords from credential dumping attacks can be reused over and over again with a high likelihood of success, and that information can be sold for future attacks.