Compromised Credential Attacks – Everything You Need to Know

Compromised credential attacks involve the use of stolen login information by malicious third parties to gain unauthorized access to online accounts. Credentials can be anything from usernames to passwords to personal identification or security questions.

Once a hacker has gained access to an application, account, or system via stolen credentials, they can then mimic legitimate user behavior to steal sensitive personal or corporate information, install ransomware or malware, take over accounts, or simply just to steal money.

Because compromised credential attacks are perpetrated using legitimate information, they can be challenging to detect and prevent. However, there are ways to protect your data and your company from compromised credential attacks. You can deter hackers by using robust security protocols and strategies, maintaining a vigilant mindset, and installing effective fraud prevention software.

In this article, we’ll take an in-depth look into how cybercriminals conduct compromised credential attacks, how stolen credentials are used, and what you can do to prevent these types of cyber threats.

Key Takeaways

• Compromised credential attacks use stolen information to illegally gain access to accounts, applications, and systems.
• Compromised credentials are used in the majority of cyberattacks.
• Cybercriminals often use deceptive tactics like social engineering or phishing to obtain credentials.
• Lists of compromised credentials are also bought or traded by hackers on illegal dark web websites.
• There has been a 71% year-over-year increase in compromised credential attacks.¹
• The average cost of a data breach by cybercriminals is US $4.45 million.²
• Poor password security practices are responsible for the majority of compromised credential attacks.³
• Implementing robust security protocols, educating staff on good password hygiene, and using dedicated fraud prevention software can help to protect your data from cybercriminals.

What Are Compromised Credential Attacks?

A compromised credential attack is where a cybercriminal uses illegally obtained information to impersonate a legitimate user. Once a hacker has their hands on stolen credentials, they can then use them to get access to systems, applications, or accounts.

Understanding how compromised credential attacks are conducted and implementing robust security measures can reduce the risk and impact of these types of cybercrimes.

Compromised credential attacks are often highly effective. Being verified with legitimate user credentials lets an attacker bypass many traditional security measures. A hacker can use stolen login credentials to get past a firewall, fool an application programming interface (API), or sidestep intrusion detection systems.

Compromised credential attacks often take the form of credential stuffing. This is where hackers use leaked or stolen credentials and passwords to access multiple accounts and systems.

Since the attacker has been verified as a legitimate user, an attack can look like a normal login and remain undetected for some time. Since many people reuse the same password multiple times, attackers often use automated bots to gain access to numerous accounts. Proxy servers and Virtual Private Networks (VPNs) help attackers to hide their IP addresses and evade detection.

How Do Attackers Obtain Compromised Credentials?

In a typical brute force cyberattack, a hacker will use an automated program to try millions of combinations to crack a password. A compromised credential attack is much more subtle, harder to detect, and often much more effective than direct brute force attacks.

There are numerous ways that malicious third parties can obtain the credentials of legitimate users.

Dark Web Marketplaces

Cybercriminals can purchase cracked or leaked passwords via illegal marketplaces on the dark web where hackers sell information gained via credential harvesting from data breaches.

Keyloggers

Credentials can also be obtained via keyloggers. Keyloggers are types of malware that record every keystroke made on a computer or mobile device. As a user inputs data into an endpoint it is immediately transmitted to a malicious third party.

Ransomware

Ransomware is also often used to obtain credentials. Ransomware encrypts a victim’s files and demands a ransom payment in exchange for the decryption key. A legitimate user may be forced to divulge passwords or enter their credentials into a fake login page. Once the hackers have the credentials, they may then use them to burrow further into a system, demand money for their release, or sell them on the dark web.

Social Engineering

Social engineering techniques such as phishing are a highly effective means of illegally obtaining sensitive information. Phishing is a deceptive technique where a hacker will send seemingly legitimate messages asking for a user’s login information or credentials. A user may receive a phone call, message, or seemingly legitimate business emails that ask for credentials to verify their account for a security update or to prevent a data breach.

Somewhat ironically, a popular phishing technique is for a hacker to pretend to be a security consultant. The victim is told that their account has been hacked and that they need to provide their credentials to verify their identity. Of course, the attackers do nothing to secure the account. Instead, they steal the victim’s credentials to gain unauthorized access to their accounts and go on to cause huge amounts of damage.

What Are the Consequences of Compromised Credentials Attacks?

The costs and consequences for companies that have fallen victim to compromised credential attacks are severe. Attackers can use compromised credentials to access email accounts, networks, servers, websites, or any other type of digital asset. Since the attacker seems like a legitimate user, it is simple for them to penetrate security measures and difficult for them to be detected.

Hackers use compromised credentials to:

• Hold sensitive data for ransom
• Conduct account takeover attacks
• Conduct new account fraud
• Install malware
• Steal corporate data, such as customer email lists
• Transfer funds
• Purchase goods
• Commit loan fraud
• Disrupt normal business operations

A company that has been the victim of a compromised credential attack can incur large financial losses due not only to the theft of funds but also to the costs associated with mitigating the breach. Downtime caused by malicious hacker activity can result in a considerable loss of revenue.

A company may also face legal liabilities related to penalties for not securing personal information. Data breaches caused by compromised credential attacks can violate laws such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).

The reputational damage that a compromised credential attack can cause is also significant. Customers and suppliers may refuse to do further business with a company that cannot keep their data secure. In many cases, a company finds that it is unable to recover from the damage done to its brand by a compromised credential attack.

A Typical Compromised Credential Attack Scenario

• A cybercriminal chooses a target based on the vulnerabilities they can exploit or the profit that may be gained.
• Login credentials are secured via social engineering, malware, or by purchasing a list of compromised credentials from the dark web.
• An automated tool is configured to input credentials in a manner that mimics legitimate human activity.
• The attack against the target is launched, usually via various VPNs to avoid detection.
• Hackers will monitor an attack closely to track successes and failures.

Recent Examples of Compromised Credential Attacks

Some recent examples prove that it doesn’t matter how big a company is or how strong its security measures are – any enterprise can fall victim to a compromised credential attack:

• In 2023, the genetics company 23andMe lost one million lines of data due to a credential stuffing attack.
• Login credentials for 35,000 PayPal users were compromised by hackers in December of 2022.
• 925,000 accounts from cybersecurity firm Norton LifeLock were targeted by a compromised credential attack in 2023.
• A hacker using stolen credentials was able to gain unauthorized access to the customer support system of identity services and authentication management provider Okta in 2023.
• Microsoft acknowledged that a coordinated credential stuffing attack had occurred on their systems from November 2023 to January 2024. The threat actor was identified as Midnight Blizzard, a Russian state-sponsored actor sometimes known under the name Nobelium.
• A multifactor authentication (MFA) company Duo owned by the software and cybersecurity firm Cisco came under a due to credential stuffing cyber-attack in April of 2024. The message logs of over 40,000 customers were put at risk because of this attack.

How to Protect Your Data Against Compromised Credential Attacks

It may seem like there is nothing that can be done to prevent compromised credential attacks. While hackers can always exploit human fallibility to obtain credentials by deceit, there are measures that companies and individuals can take to protect themselves from this type of cybercrime.

Adopt Robust Password and Cybersecurity Measures

Implementing good security practices can greatly reduce the chances of an organization falling victim to a compromised credential attack. The focus should be on establishing a zero trust strategy.

Train in-house account users on the value of strong passwords and forbid reusing passwords on multiple accounts. Use a password manager to create and store strong passwords. Make sure staff are aware of common social engineering techniques used by hackers. Implement multifactor authentication (MFA) or two-factor authentication (2FA) processes for customers.

Quickly Identify Compromised Accounts

Identifying if an account has been compromised isn’t an easy task. Be vigilant for unusual login patterns or if an account is suddenly being used by IP addresses from unusual geographic locations. Monitor usage and look for any deviations from normal user behavior, such as accessing atypical resources or performing unusual actions like making large transactions or purchases. If a user suddenly starts changing multiple email addresses or passwords this can also be an indication that the account has been compromised. The sooner a compromised account can be identified, the sooner you can take action.

A dedicated solution like DataDome is the ideal way to monitor your accounts for suspicious behavior and credential stuffing. With DataDome, all traffic is continuously monitored, and usage patterns are continuously analyzed for anomalies. Using cutting-edge machine learning and artificial intelligence (AI) algorithms, DataDome acts to automatically protect your systems from credential-stuffing bots.

Stop Compromised Account Activity Immediately

If a bot protection software solution like DataDome alerts you to a compromised account you must take action to lock the hackers out immediately. Reset user passwords right away to block hackers from accessing accounts and further penetrating your networks. DataDome can run behavior analytics software and produce a data breach investigations report to alert you to any other compromised accounts and vulnerabilities.

To discover just how DataDome can prevent credential stuffing activities, book a free online demonstration today.

FAQs

What is a credential-based attack?

A credential-based attack is a cyberattack where a hacker gains unauthorized access to systems or networks by using stolen or compromised login credentials, such as usernames and passwords. Compromised credential attacks often bypass traditional security measures and allow the attacker to operate with legitimate access permissions.

Why are compromised credential attacks hard to detect?

Since the attacker is using valid credentials, their activity can appear to be legitimate. Sophisticated hackers often mimic the normal behavior of a legitimate user, which complicates the detection process.

What does it mean if your account is compromised?

A compromised account can result in unauthorized transactions, data breaches, and potential misuse of corporate or personal information.

What is credential theft?

Credential theft is the act of stealing or illegitimately acquiring login credentials, such as usernames and passwords. Cybercriminals often obtain credentials through methods like phishing, keylogging, or via data breaches.

What can you do to prevent compromised credential attacks?

Always make sure to use a strong password. Never use the same password for more than one account. Never write down or divulge your passwords to anyone. Using a reputable, proven fraud detection software solution such as DataDome will help to protect your accounts from compromised credential attacks.

Sources

¹ https://www.ibm.com/reports/threat-intelligence

² https://www.ibm.com/reports/data-breach

³ https://www.forbes.com/advisor/business/software/american-password-habits/

https://www.bleepingcomputer.com/news/security/genetics-firm-23andme-says-user-data-stolen-in-credential-stuffing-attack/

https://www.documentcloud.org/documents/23578067-paypal-notice?responsive=1&title=1

https://therecord.media/norton-lifelock-says-925000-accounts-targeted-by-credential-stuffing-attacks

https://sec.okta.com/harfiles

https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

https://therecord.media/cisco-duo-data-breach-mfa-telephony-provider