The Hidden Threat to Your Business: Credential Leaks and How to Defend Against Them
As an organization operating in sectors like retail, healthcare, professional services, or financial services, you understand the importance of IT in your operations. IT may not be your primary focus, but it plays a vital role in ensuring operational efficiency, security, and compliance with industry standards. However, managing IT services can be complex and time-consuming, leading to concerns about IT management, cybersecurity threats, downtime, operational inefficiencies, and potential costs of non-compliance.
One of the most substantial and underappreciated risk vectors for corporate information security teams is infostealer malware. Infostealers infect computers, steal credentials saved in the browser, including active session cookies, and export them back to command and control infrastructure. This can lead to data breaches and the distribution of ransomware.
However, infostealers are not the only credential threat. Leaked credentials from traditional sources are still a prominent risk. With most users reusing passwords across multiple applications, threat actors can brute force their way into SaaS and on-premise applications, posing a significant risk to organizations.
At Flare, we monitor over forty million stealer logs and more than 14 billion leaked credentials found on the dark web. This unique perspective allows us to understand how threat actors acquire, distribute, and use leaked credentials.
Types of Leaked Credentials
To better understand leaked credentials, it is helpful to categorize them based on the method of leakage and the risk they pose to the organization. Security professional Jason Haddix pioneered this approach to communicate the risks associated with credential leaks.
Tier 1 Leaked Credentials
Tier 1 leaked credentials result from breaches of third-party applications or services. Attackers breach these services, steal user credentials, and leak them onto the dark web. This poses a risk as users often reuse passwords across various services, allowing threat actors to brute force their way into other applications. Organizations can defend against tier 1 leaked credentials by monitoring leaked credentials databases, requiring routine password resets, and employing password managers with randomized passwords.
The Special Case of Combolists
Combolists consist of credential pairs organized by service or geography. These credentials, sourced from previous breaches or stealer logs, are used by cybercriminals in combination with brute forcing tools. The sheer number of credentials acquired through combolists, combined with password reuse, makes them a significant attack vector.
Tier 2 Leaked Credentials
Tier 2 leaked credentials are harvested directly from users through infostealer malware. These credentials pose an increased risk as a single stealer log contains all the credentials saved in the user’s browser. Threat actors can exploit this information to socially engineer victims, bypass secret questions, and impersonate users. Organizations should limit the time-to-live (TTL) for corporate applications and promptly investigate the distribution of fresh stealer logs containing active session cookies.
Tier 3 Leaked Credentials
Tier 3 leaks also come from stealer logs but pose extreme risk to organizations. Fresh stealer logs often contain active session cookies that threat actors can use for session hijacking attacks. Finding a fresh stealer log with corporate credentials should trigger an incident investigation to mitigate the risk of unauthorized access to corporate resources.
Multi-Factor Authentication isn’t a Silver Bullet
Many organizations rely on multi-factor authentication (MFA) to protect against stolen credentials. However, threat actors have sophisticated techniques to bypass MFA controls, such as social engineering, using 2FA bots, or SIM-swapping. Authenticator apps with rotating temporary codes offer better protection against these attacks.
Worried about Credentials? Flare Can Help
At Flare, we monitor billions of leaked credentials and provide robust detection for leaked employee credentials. Our platform can be set up in just 30 minutes, giving you peace of mind and helping you defend against credential threats.