by peter


Credential Reuse Attack Explained


Risk Rating: CRITICAL
Likelihood: 5/5
Impact: 5/5


  • Ineffective user training
  • Lack of password manager

Overview on a Credential Reuse Attack

Credential reuse attacks are very common. One of the more notable credential reuse attacks is the 2019 Dunkin Donuts breach — which, unluckily for the east coast chain, happened to be their second hack in two months. This time around, the threat actors went so far as to sell thousands of accounts on the dark web. They sold users’ credentials — including usernames and passwords — to the highest bidders, who could then try them across other consumer websites until they got a hit.

What you need to know about Credential Reuse Attacks

Credential reuse attacks are a pervasive issue across any company or userbase. Nowadays, most users have tens (if not hundreds) of accounts, and are tasked with remembering countless passwords that meet all sorts of stringent requirements. As a result, they’ll resort to reusing the same password over and over again, in the hopes of better managing and remembering their credentials across accounts. Unsurprisingly, this can cause major security issues when said credentials are compromised.

These attacks reply on credential dumping to have occurred. One these dumps reach the wider internet, they are immediate used by criminal elements. This means that defense is achieved through two means:

  1. Users need to be trained on how to handle passwords. Following the NCSC password guidance and having a user friendly password policy is essential. This is going to empower the users to make memorable passwords. Hand in hand with this is providing users with a password manager to use, or allowing them to use their own password manager.
  2. The second defense is monitoring. Your Security team or your Security Operations Center should be monitoring for signs of compromised accounts on a minute by minute basis.

How the attack happens

In theory, the credential reuse attack itself is simple, straightforward and surprisingly stealthy (if two-factor authentication isn’t activated). Once a user’s credentials are stolen, the culprit can try the same username and password on other consumer or banking websites until they get a match — hence the “reuse” in “credential reuse attack.”

However, gaining entry in the first place is a little more complicated. To get privileged information, attackers usually kick things off with a phishing attempt, using emails and websites that look close-to-legitimate to dupe users into handing over their credentials.

Attack Sources

This could be a targeted credential reuse attack, where the person knows the victim and wants access to their accounts for personal, professional or financial reasons. The attack could also originate from a complete stranger who bought the user’s personal information on the cybercrime underground.