Credential theft: How your organization’s credentials get compromised and what to do about it
Joseph Carson
What’s easier: loudly destroying a bank’s vault door or using valid access credentials to enter undetected?
Every day, millions of people rely on credentials like usernames, passwords, and other authentication methods to access critical services in the workplace, however, enterprise credentials are under constant threat from criminals who seek to exploit them for malicious gain.
Just like in a bank heist movie (but with real, sometimes devastating consequences) cyberattackers don’t break in anymore—they steal valid credentials to gain access. As a result, credential theft often leads to business disruption, significant costs, and reputational damage.
In this blog, you’ll learn the intricacies of credential compromise, explore real-world examples, and gain practical tips to enhance your organization’s security posture.
What are credentials?
Credentials can be either human or machine. Human credentials refer to authentication factors that are unique to individual users, such as passwords, biometric data (e.g., fingerprints, facial features), or physical tokens (e.g., smart cards). Machine credentials, on the other hand, are used to authenticate devices, services, or applications rather than individual users.
Examples of machine credentials include API keys, digital certificates, or OAuth tokens used for machine-to-machine communication. Machine credentials are typically generated and managed programmatically and are used to establish trust between different systems or components within a network.
Credential theft: How do credentials get stolen?
Credential theft attacks don't have to be complex to be successful, especially if users don’t practice good cyber hygiene like storing credentials securely and keeping them private. Credential compromise occurs when unauthorized parties gain access to authentication details through various nefarious methods, including:
- Social engineering. Attackers have become experts at tricking employees into divulging confidential information through psychological manipulation. In a common example, an attacker would call a company’s helpdesk pretending to be a high-ranking executive, requesting a password reset for their account.
- Phishing. In a type of social engineering attack, criminals may send deceptive emails or create fake websites that mimic legitimate services to trick users into entering their credentials. For example, an email like the one below may appear to be from a user's bank, asking them to verify their account by clicking a link and entering their login details.
- Spear phishing. A more targeted form of phishing, this technique involves sending personalized messages to specific targets. For example, an email that appears to be from a colleague or a known business partner (perhaps your CEO) will ask for login credentials.
- Malware: Malicious software can capture credentials by various means, such as keylogging or screen capturing to record keystrokes or stealing browser-stored passwords.
- Brute-force attacks. Credential stuffing is one type of brute-force attack in which attackers use automated tools to systematically try stolen username-password pairs, exploiting the tendency of users to reuse passwords across different platforms. In another type of brute-force attack known as password-spraying, attackers use trial and error to enter commonly used passwords (like "123456" or "password").
- Attacker-in-the-Middle (AitM) attacks. These types of attacks intercept communication between a user and a service to capture login credentials. To do so, an attacker may set up a fake Wi-Fi hotspot in a public place.
- Replay attacks. This credential theft technique involves intercepting and retransmitting valid data transmission to gain unauthorized access. To do this, an attacker captures and replays an authentication token.
- OAuth phishing. An attacker may exploit OAuth, a standard for authorization, to trick users into granting permissions to malicious applications. For example, a fake app would request OAuth permissions to access a user’s email account, subsequently stealing credentials or sensitive data.
- SIM swapping. Attackers may take control of a victim’s phone number to intercept SMS-based two-factor authentication (2FA) codes. In this case, an attacker would convince the victim's mobile carrier to transfer the victim’s phone number to a SIM card controlled by the attacker, allowing them to receive 2FA codes sent via SMS.
- Fake mobile apps. Counterfeit mobile applications can easily mimic legitimate ones, convincing a user to log in so the criminal can steal their credentials.
Which credential compromises do IT and security leaders worry about most?
In our recent global survey, we asked 1,800 IT and security decision-makers around the world about their cybersecurity concerns. Virtually all (97%) worried about credentials theft.
Respondents were most likely to worry about credential-stealing malware, data breaches, and phishing/social engineering. Misconfigurations and poor password hygiene were at the bottom of the list, which raises the question: Have organizations resolved weak password and configuration issues, or are they just not paying attention to them?
What new trends and threats in credential theft should organizations be aware of?
Credential theft shows no signs of slowing. According to the Verizon 2024 Data Breach Investigations Report, stolen credentials remain the primary way breaches are initiated. It’s the top action in 24% of all cases.
No discussion of emerging credential compromise trends—or any cybersecurity trend, for that matter—would be complete without mentioning Artificial Intelligence. AI has made brute-force password attack methods accessible to even inexperienced criminal cybercriminals. They can create and run scripts at scale, along with creating copy and designs for phishing emails that are more difficult for users to detect.
Another emerging area of concern for credential theft is the use of open-source code repositories. Credential exposure on GitHub, the world's most popular code hosting and collaboration platform, has increased since 2020. According to GitGuardian, “GitHub users accidentally exposed 12.8 million authentication and sensitive secrets in over 3 million public repositories during 2023, with the vast majority remaining valid after five days.”
These exposed credentials included account passwords, API keys, TLS/SSL certificates, encryption keys, cloud service credentials, and OAuth tokens. With these credentials in hand, external actors could have unlimited access to private resources and services, with negative consequences for users and businesses.
How to prevent credential theft
Understanding methods and techniques used by cyber attackers can help you reduce risk. To protect your organization from credential theft, adopt a comprehensive identity security strategy that includes the following best practices:
1. Implement strong password policies
Require complex, unique passwords for each user account and machine identity and enforce regular password changes.
2. Manage credentials with a secure vault
Enterprise password vaults and Privileged Access Management solutions automate the process of complex password creation, rotation, and expiration. To access privileged accounts and log into enterprise tools, users must check out credentials from a central, encrypted vault. Because credentials are managed automatically, users don’t even need to see credentials, which reduces the likelihood of sharing and the risk of credential misuse or theft.
3. Build security awareness
Conduct ongoing training sessions to educate employees about the latest phishing tactics and social engineering schemes so they can recognize and avoid them.
4. Avoid hardcoding credentials
Never embed credentials in code as part of your software development process.
5. Remove default credentials
Always replace default credentials in any third-party software you use, or code you download from GitHub or other code repository.
6. Adopt least privilege access/zero trust principles
Limit the access enterprise credentials unlock, particularly privileged credentials that provide permissions for critical business systems or sensitive data. That way, cybercriminals can do only a limited amount of damage if they obtain stolen credentials. They’ll need to request elevated privileges for actions that carry greater risk.
7. Enable Multi-Factor Authentication (MFA)
Require multiple forms of verification for account access or privilege elevation (known as “MFA at depth”). Combining something the user knows (username, password, and/or challenge questions) with something they have (e.g. a mobile device) or something they are (e.g. biometric data). That way, even if a cybercriminal illegally obtains valid credentials, they will be unable to use them to gain access before proving they are who they claim to be.
8. Check your work
Once you have set up identity security controls, it’s a good idea to check that they are working as expected. Check that MFA is enabled properly and that identities and access controls aren’t misconfigured.
How can you detect and respond to credential theft in real time?
Taking a proactive approach to protecting credentials through the best practices above is only part of the cybersecurity battle. Even with the strongest credential protections in place, you’ll still want to implement mitigation and detection controls. Here are some things you can do to stop credential-based attacks in progress.
- Monitor for unusual credential activity. Use advanced session monitoring and recording solutions to understand anomalous credential use and unauthorized access attempts.
- Integrate Identity Threat Detection and Response (ITDR) solutions. Deploy ITDR solutions to detect and respond to identity-based attacks that may leverage stolen credentials. These solutions provide your incident response team and Security Operations Center (SOC) with the context to investigate suspicious credential activity and interrupt attacks before they cause widespread damage.
Learn more about protecting your organization from credential theft
A steadfast commitment to credential security is essential for cyber resilience and business success. Protect your enterprise credentials and implement monitoring and detection best practices to improve your organization’s security posture. You’ll foster trust among employees, clients, partners, and other stakeholders, and reduce your risk of cyberattack.
To learn more about protecting credentials from theft by automating the login process and moving passwords into the background, watch the webinar: Future of Passwords.
What does cybersecurity like this cost? Not as much as you think