Leaked Credentials vs. Compromised Credentials

Tags:

Analyzing Exposed SSO Credentials of Public Companies

What are leaked credentials?

Leaked credentials refer to sensitive login information—such as usernames, passwords, API keys, and other authentication data—that has been exposed, intentionally or unintentionally, to unauthorized parties. These credentials can be compromised through data breaches, accidental disclosures, malware infections, or other means, often resulting in significant security risks for individuals and organizations.

Leaked credentials are the dark web’s bestseller—recent years have seen the worst cybersecurity attacks on record, with account takeover (ATO) attacks - including credential stuffing and phishing campaigns—constituting the number one cause of breaches. Unfortunately, even one corrupted account can be enough to compromise an entire network. Shuman Ghosemajumder, a former Google click fraud expert, determined that attacks using leaked credentials can have up to a 2% login success rate. So phishing, like fishing, requires patience, a wide net, and good bait.

Account credentials can also be exfiltrated in bulk by cybercriminals through network breaches, brute force tactics, keylogging and man-in-the-middle attacks. Ultimately, these leaked credentials will end up for sale on the dark web. Here is a recent price list: the cost of bank login credentials average $25, full credit card details can sell for $12–20, and you can even buy enough sensitive information to steal a person's identity for $1,275.

What are compromised credentials?

Compromised credentials refer to login details that have been stolen, exposed, or otherwise obtained by threat actors and are actively being used for malicious purposes. While leaked credentials may refer to any exposed credentials—whether publicly available or not—compromised credentials specifically denote those that have been exploited or are at risk of exploitation. This distinction is important because a credential may be leaked without necessarily being compromised, but once attackers gain access and use them, they become compromised credentials.

Leaked credentials vs. Compromised credentials

Leaked credentials and compromised credentials are related but distinct concepts:

  • Leaked Credentials: Refer to any credentials that have been exposed, whether through data breaches, accidental disclosures, or misconfigurations. They may or may not be actively exploited by attackers.
  • Compromised Credentials: Specifically refer to credentials that have been obtained and used maliciously by attackers, leading to unauthorized access, fraud, or other security threats.

A leaked credential becomes a compromised credential once a threat actor gains access to and uses it. For this reason, organizations must take immediate action when credentials are leaked, such as forcing password resets, monitoring for suspicious activity, and implementing strong authentication controls.

How do leaked and compromised credentials happen?

Leaked credentials can originate from a variety of sources, including:

  • Data Breaches: When threat actors infiltrate an organization's database and steal user login details.
  • Phishing Attacks: Cybercriminals trick users into revealing their login credentials via fraudulent emails, websites, or social engineering tactics..
  • Malware and Keyloggers: Malicious software installed on a victim’s device can capture keystrokes or extract stored passwords from devices.
  • Misconfigurations & Cloud Exposures: Unsecured cloud storage, repositories, or public databases may accidentally expose credentials to the internet.
  • Dark Web and Underground Markets: Criminals may sell or share stolen credentials in hacker forums or on illicit marketplaces.
  • Credential Stuffing and Reuse: Attackers exploit users’ tendencies to reuse passwords across multiple sites, leveraging previously leaked credentials to access other accounts.
  • Insider Threats: Employees or contractors may leak credentials intentionally or inadvertently, leading to credential compromise for financial gain or personal revenge.

Compromised credentials typically originate from the same sources as leaked credentials above, but with the added factor of active exploitation. Additional sources include:

  • Man-in-the-Middle (MITM) Attacks: Attackers intercept communication to capture credentials in transit.

What do attackers do with leaked or compromised credentials?

Once credentials are leaked, attackers use various techniques to exploit them:

  • Credential Stuffing Attacks: Automated scripts test stolen username-password combinations across multiple services.
  • Brute Force Attacks: Attackers attempt to guess weak or commonly used passwords.
  • Account Takeover (ATO): Cybercriminals use valid credentials to access personal or corporate accounts, often leading to financial fraud, data theft, or ransomware attacks.
  • Business Email Compromise (BEC): Stolen corporate email credentials can be used to conduct sophisticated social engineering scams.
  • Privilege Escalation: Attackers exploit compromised administrator credentials to gain deeper access within a network.
  • Lateral Movement: Once inside an organization, attackers leverage leaked credentials to move through internal systems undetected.

In addition to the above ways in which attackers exploit leaked credentials, cybercriminals use compromised credentials in other malicious ways, such as:

  • Data Theft and Exfiltration: Attackers use compromised accounts to steal sensitive data or intellectual property.
  • Ransomware Deployment: Stolen credentials can provide attackers with initial access to an organization, allowing them to install ransomware.

What is a credential stuffing attack?

Credential stuffing is the process of testing large sets of leaked credentials against targeted applications or web interfaces. Lists of thousands or millions of usernames/email addresses and the matching passwords (usually obtained from data breaches), are used to gain access to user accounts through large-scale automated login requests directed against a web application. Compromised credentials exfiltrated through these data breaches are used to build “dictionaries” or “combo lists,”  which are then traded and sold on the dark web to be used for credential stuffing operations. A criminal simply automates the logins for a large number of leaked credential pairs using known web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet. With companies getting breached on a regular basis, the lists of leaked credentials keep getting bigger.

Credential stuffing attacks are possible because many users have the habit of reusing the same username/password combination across multiple sites. With the 2% login success rate mentioned above, one million stolen credentials can take over 20,000 accounts, making this a highly profitable venture.

Where can you find leaked credentials?

Leaked credentials often surface in locations such as:

  • Pastebin and Other Public Forums: Attackers frequently dump credentials on text-sharing sites.
  • Dark Web Marketplaces: Stolen credentials are commonly sold on underground hacking forums.
  • Open-Source Repositories: Misconfigured GitHub, GitLab, or Bitbucket repositories may contain accidentally exposed credentials.
  • Corporate Data Breach Notifications: Security researchers or breach notification services (e.g., Have I Been Pwned) may detect exposed credentials.

What are the risks and threats of leaked credentials?

The exposure of credentials poses severe security risks, including:

  • Financial Fraud: Attackers use stolen credentials to access banking, e-commerce, or payment systems.
  • Corporate Espionage: Unauthorized access to sensitive business information can lead to competitive disadvantages.
  • Data Theft & Ransomware Deployment: Compromised accounts may be used to exfiltrate data or deploy ransomware.
  • Reputational Damage: Publicized credential leaks erode customer and stakeholder trust in an organization’s security.
  • Regulatory & Compliance Violations: Organizations may face legal penalties and fines under regulations like GDPR, HIPAA, or CCPA if they fail to protect credentials.

How to prevent leaked credentials

One way to protect against leaked credential exploitation is to use unique passwords for each account, such as those generated automatically by a password manager. Another is the implementation of multi-factor authentication with the login process, which involves relying on employees to complicate their usual login processes with extra steps, requiring their patience and cooperation. Still, even these security protocols may not be enough to stop the leak. A more centralized solution is to receive automatic notifications on leaked employee and customer credentials through the Bitsight Investigative Portal. These automated alerts are fully customizable, warning you in real-time of leaked organizational data, including OCR extracted text from images to identify logos and designs.

Credential stuffing has become a popular weapon of choice for fraudsters. Millions of leaked credentials are easily discoverable and exploitable using bots and malicious automation. To overcome this type of attack, one must fight machine with machine with superior threat intelligence for proactive defense. With cybercriminals weaponizing machine learning and artificial intelligence for malicious purposes, ensure that your cyber defense system is automated as well.

Preventing credential leaks requires a multi-layered security approach, including this comprehensive list:

  • Strong Password Policies: Enforce complex, unique passwords and encourage the use of password managers.
  • Multi-Factor Authentication (MFA): Require additional authentication methods beyond just a password.
  • Regular Security Audits: Continuously monitor for exposed credentials in the dark web and open repositories.
  • Zero Trust Framework: Implement least privilege access and continuous authentication checks.
  • Employee Training & Awareness: Educate employees on phishing, social engineering, and secure credential storage.
  • Automated Secrets Management: Use tools to detect and remove hardcoded credentials in code repositories.
  • Breach Notification Services: Subscribe to services that notify users if their credentials are found in breaches.

Leaked credentials remain a significant cybersecurity threat that can lead to unauthorized access, data breaches, and financial loss. By understanding how credentials become exposed and implementing proactive security measures, organizations and individuals can mitigate the risks associated with credential leaks. Cybersecurity professionals must stay vigilant, leveraging tools and best practices to detect and prevent the exploitation of leaked credentials before they lead to full-scale attacks.

Protecting from threats with Cyber Threat Intelligence

Bitsight delivers real-time threat intelligence from the dark web to help organizations stay ahead of cyber threats. With access to over 1,000 underground forums and marketplaces, it collects and analyzes more than 7 million intelligence items daily. Tracking 700+ APT groups, 4,000+ malware types, and 95 million threat actors, it provides security teams with rapid, context-rich insights. By enriching data with context, enables proactive threat detection and mitigation within minutes of collection.

Bitsight’s cyber threat intelligence solution helps protect your supply chain from threats through:

  • Generative AI: Aimed at simplifying complex threat data, and drawing from comprehensive collection of real-time threat intelligence, Bitsight IQ delivers AI-generated analysis, high-quality finished reporting and 24/7 assistance.
  • Vulnerability intelligence: Dynamic Vulnerability Exploit (DVE) Intelligence is an end-to-end solution that spans the entire CVE lifecycle, streamlining vulnerability analysis, prioritization, management and remediation.
  • Identity intelligence: Discover and manage compromised identity credentials–typically originating from Malware stealer logs–and set prioritization preferences to better safeguard priority assets and proactively remediate threats as they surface. 
  • Attack surface intelligence: Continuously identify, classify, and monitor unknown networked assets to mitigate organizational risk. Leverage real-time asset discovery and context-rich threat intelligence across the deep, dark, and clear web for early threat detection.
  • Ransomware & malware intelligence: Gain comprehensive, real-time ransomware threat intelligence from OSINT and the clear, deep, and dark web, including insights into ransomware groups’ activities, TTPs, vulnerabilities, targeted sectors, and remediation strategies.
  • Brand & phishing intelligence: Detect real-time mentions of your brand across the cybercriminal underground. Receive early alerts regarding threat actor activity and discussions related to your company assets, products, management and credentials. 
  • Threat Intelligence Services (DRPS): Elite Intelligence Services are tailored to meet the needs of your organization, delivering the insight you need to take action and reduce your threat exposure. 
Stay Ahead with Proactive Threat Hunting

Free Guide: Stay Ahead with Proactive Threat Hunting

Arm your security team with the tools, techniques, and insights to uncover hidden threats. Learn to identify risks early and strengthen your defenses with actionable intelligence.

Download guide