Leaked credentials continue to haunt organizations and cybersecurity pros 

By Tammy Harper, Senior Threat Intelligence Researcher at Flare

Almost exactly a month before the holiday season, a story about a French hospital experiencing a cyber attack hit the news cycles. According to reports, the data breach that impacted 750,000 medical records arose not from the organization’s inability to patch systems or review configurations but from attackers using compromised credentials. According to reports, a threat actor on the dark web was selling access to compromised systems that buyers could use to access sensitive information. 

Despite these organizations’ best efforts, someone – somewhere – had gained a list of credentials proving unauthorized access. Without realizing it, these healthcare organizations had placed their patients’ data in critical condition. 

However, this hospital is part of a larger, unfortunate club. According to IBM’s Cost of a Data Breach 2024, compromised credentials were the most prevalent attack vector, identified as the source for 16% of breaches, with those attacks accounting for an average of $4.81 million per breach. Even more disconcerting, these attacks took the longest to identify and contain, clocking in at 229 days before initial identification and an average of 63 days to contain for a total of 292 days. 

While organizations and their customers may be concerned about leaked credentials, they can implement risk mitigation strategies when they understand how the underground credential market works. 

Leaked Credentials: The What and Where

Leaked credentials continue to be a silent security killer, stealthily undermining an organization’s data protection strategies. In a world where businesses depend on web applications, corporate VPNs, email, and messaging platforms like Slack, people’s credentials have become a goldmine for corporate access.

Most often, credential leaks occur due to accidents or negligence. While mistakes happen, ensuring the proper policies are in place to mitigate against these risks are part of a robust security practice. For example, leaving passwords or secrets, such as API keys, in plain text within source code and publishing publicly on GitHub has been the source of numerous breaches. This exact scenario happened to Toyota in 2023 when hardcoded API keys were left in their public T-Connect GitHub repository, potentially exposing the data of nearly 300,000 users. Another common vector is reusing credentials that have been compromised in an earlier data breach, often because the person fails to realize they were part of the breach in the first place.

Initial Access Brokers: The Who and How

Initial access brokers (IABs) are malicious actors who specialize in compromising systems and then selling their access on the dark web and across privacy-oriented platforms, often ones people already know how to use. Until Telegram’s recent willingness to cooperate with law enforcement, it was a popular platform for cybercriminals because it had many valuable free features. Since then, bad actors have started migrating to other platforms, like Signal, SimpleX, Matrix, and Session. 

People tend to think of initial access brokers when they picture cybercriminals on the dark web. These are the threat actors who spend their time, skill, and resources to exploit vulnerabilities, use automated tools to brute force weak passwords, and engage in social engineering, like phishing attacks. In 2023, MGM Resort was targeted in this very fashion by members of Scattered Spider working in collaboration with ALPHV, a notorious ransomware gang. Scattered Spider called MGM’s IT Helpdesk using publicly available information about an employee found on LinkedIn.

Once inside a system, attackers target sensitive information, such as credentials, which can be sold to other cybercriminals. The value of this access typically ranges from hundreds to thousands of dollars, depending on factors like the organization’s size, reputation, revenue, security defenses, and geographic location.

Infostealer Logs: The Next Frontier

Over the past couple of years, infostealer malware has skyrocketed. When the pandemic hit, everyone moved to work from home setups. Corporate devices were not insulated by enterprise defenses but rather residential antivirus, basic internet service provider hardware, and default configurations. This new way of working provided the perfect opportunity for the proliferation of infostealer malware. 

Infostealer malware is typically distributed via cracked software and games; bad actors are always getting creative with their distribution channels, and it is ever-changing. Once the malware has infected a system, it will quickly dump all the credentials on the device, especially any credentials stored and saved in browsers. It will take screenshots and list all softwares, accounts, cookies, crypto wallets, and virtually anything else on the device. It will then package everything nicely and upload the compromised data to infrastructure controlled by the threat actor. This can be Telegram, Fileservers accessible via The Onion Router (Tor) or even GitHub in some instances. Once the threat actors have your compromised details they put them up for sale on private and public channels for others to leverage. The whole process can take minutes to hours. It can truly operate at ludicrous speeds.

Modern attacks are built on an entire underground business model, one very similar to legitimate models. While IABs are only one type of vendor and infostealer malware dominates the bulk of fresh stolen credential transactions today, they both have buyers willing to pay for access, whether it’s malicious actors interested in deployed ransomware or perpetrating fraud. 

Three Helpful Risk Mitigation Steps

In the case of leaked credentials, the adage holds that an ounce of prevention is worth a pound of cure. For security teams, information and layered defenses are critical. The majority of cybercriminals, especially IABs, treat their activities as a business. They look for easy entryways into systems because the more time gaining access takes, the less return on investment they receive. 

1.Patch Vulnerabilities

Security vulnerabilities are the digital equivalent of leaving a backyard-facing window open. Just like burglars will scan a house’s perimeter, cybercriminals scan an organization’s digital attack surface. Common known vulnerabilities are listed publicly, and attackers know how to exploit them. The faster an organization can apply a security update to its devices and systems, the more time it would take to gain access. The more time it takes, the less “dollars per hour” an IAB can make. Don’t be the low hanging fruit. 

2.Enforce Multi-Factor Authentication (MFA)

MFA is the deadbolt on an organization’s digital doors. A deadbolt supports the main locks on the  house. MFA supports the primary login credentials by requesting additional information, usually a code sent by text or from an authentication app. If cybercriminals purchase credentials and try to use them, then MFA sends a request to the user. Without the code to support authentication, the cybercriminal will either fail to gain access, require additional skills they may not have, or give up since the access is taking too long to obtain. 

3.Monitor Cybercriminal Chatter

Cybercriminals talk amongst themselves a lot. From dark web forums to communication apps, they are a digitally chatty bunch. Like a Facebook Marketplace posting, IAB posts typically include information about the access being sold, including industry verticals or even a company name. By monitoring these communications, security teams can often gain company-specific threat intelligence. For example, they might identify the company’s domain or a compromised corporate device listed on a dark web forum post. Knowing these credentials are available on cybercriminal listings enables security teams to proactively force a password change and implement more focused leaked credentials monitoring for a compromised account.

Disclosure: This article includes a client of an Espacio portfolio company.