Stolen credentials are used in 38% of external breach attacks, according to the 2024 Verizon Data Breach Investigations Report (DBIR). From the perspective of cybercriminals, stealing credentials makes sense — why go through the time and effort of creating a new attack vector when they could simply steal credentials and access key systems without raising red flags?
In this piece, we'll break down the basics of credential theft, explore what happens to credentials after they're stolen, and offer strategies to keep credentials safe.
Understanding Credential Theft
Credentials provide access to accounts, applications, and other secure services. Common credentials such as usernames and passwords are often the first line of defense against malicious actors. If stolen, however, these same credentials can become the catalyst for a cyberattack.
What is credential theft?
Credential thefts see attackers stealing proof of identity, such as usernames and passwords, that grant access to accounts or services. In some cases, credentials are stolen when cybercriminals breach secure databases that contain hundreds or thousands of username and password combinations. In others, attackers obtain credentials by tricking users into sharing this data under the guise of solving a security issue or fixing a problem.
Implications of credential theft
Stolen credentials present several problems for organizations and individuals.
If attackers steal credentials and access applications or services, they can change passwords and lock legitimate users out of their accounts. They can also move freely around business networks without attracting attention — from the perspective of security teams and security controls, access requests were legitimate, so they won't raise red flags.
This allows attackers to fly under the radar and explore corporate networks or user accounts at their leisure.
How Are Credentials Stolen?
While credential theft aims to steal usernames, passwords, and other identifiers, there's no one-size-fits-all approach to compromise. Depending on the type of credentials, the security (if any) protecting these credentials, and the potential risk of being detected, attackers may leverage one (or more) theft vectors, including:
Malware
Credentials are typically stored in two places.
The first is with end users, who use their credentials to access accounts or services. The second is in first- or third-party databases, which are used to confirm that the credentials being entered match current records. These databases may be managed by a service provider, such as a financial institution that provides a banking application, or by companies that maintain lists of staff usernames and logins for corporate systems.
If attackers can circumvent security controls and install malware, they may be able to capture this data directly from databases or by observing user behavior. For example, malware might be used to steal information stored in third-party applications such as FTP servers download managers or obtain data from in-house storage systems. Attackers may also use malware tools that allow keylogging or screen recording, allowing them to observe users entering credentials in real time.
Phishing
In a phishing attack, users receive a message that appears to come from a legitimate source, such as an e-commerce retailer, financial firm, or a personal acquaintance. The message asks users to download an attachment or visit a webpage, often under the guise of an urgent request, such as resetting a password or confirming their identity.
If users click on the link, they're asked to provide their credentials as verification. Instead, credentials are captured by malicious actors. Email attachments, meanwhile, may install malware capable of capturing and exfiltrating login and password data.
Man in the middle attack
A man-in-the-middle (MitM) attack happens when attackers intercept communications between a user and the service they're trying to access online, effectively placing cybercriminals in the "middle" of the exchange. If the connection is insecure or unencrypted, attackers may be able to spy on users when they enter credentials.
Vulnerable system or website
If systems or websites contain known vulnerabilities that haven't been patched, attackers may be able to infiltrate networks without being detected and steal user credentials.
Misconfigured databases can also lead to credential theft. For example, if databases can be discovered on public networks and don't require usernames or passwords to access, they put corporate credentials at risk.
Brute force attack
In a brute force attack, criminals don't try to trick users. Instead, they systematically try millions of username and password combinations in hopes of finding a match.
Dictionary attack
A dictionary attack is a more focused form of brute force that uses words found in the dictionary as the basis for potential passwords. For example, many people still use the word "password" as their password. Dictionary attacks try "password" along with common variations such as "pas3word" or "passw0rd" in hopes of finding a match.
Consequences of Stolen Credentials
Stolen credentials can lead to multiple consequences for both businesses and individuals.
How stolen credentials are exploited by cybercriminals
There are several ways cybercriminals may exploit stolen credentials.
The first is using these credentials to access corporate networks or user accounts. Once they've gained access, they modify usernames and/or passwords to keep legitimate users out. Attackers may then take actions that harm users, such as transferring money using a compromised financial application or making fraudulent purchases with an e-commerce account.
They may also exfiltrate user data and sell it on the Dark Web. This creates the potential for delayed compromise — users may not release that accounts have been breached until their information is sold online and buyers use it to breach accounts or services.
Financial and personal risks associated with stolen credentials
If credentials are stolen, they may be used to commit financial fraud. This could take the form of money transfers or payments to hacker-controlled accounts, or the use of personal information to open new online accounts or apply for credit cards.
Attackers may also use stolen data to commit identity theft. Once they have access to user data including names, dates of birth, and financial or medical records, they can use this information to create fake identities. This can lead to damaged credit ratings, accusations of criminal behavior, or even tax fraud.
Impact on online accounts and personal information
While credential theft starts with one account or service, it can lead to larger problems if users repeat login data across multiple services. For example, if a user's e-commerce account is breached and they use the same username and password combination for online banking, health, and insurance services, a single breach can quickly become a big problem.
In the case of personal information, meanwhile, once attackers have this key data they can cause problems for months or years. Consider a user whose medical records are compromised. Using this information, attackers can create fake user profiles and accounts with online retailers, banks, credit card companies, and subscription services.
Even after the attack is detected and the initial compromise addressed, this information remains in the wild and may be used again to defraud victims.
How to Respond to Credential Theft
When credential threats happen, rapid response helps reduce the overall impact.
Steps to take when your credentials are stolen
If you receive a notification that your credentials have been stolen but you still have access to the account, change the password immediately. Make sure the password is distinctly different — don't use a variation of the old password with just a few letters or numbers switched. It's also a good idea to change the password on any other accounts that share the same login details.
Reporting the incident to relevant authorities
If attackers have breached accounts, report the incident ASAP.
In the case of a business account compromise, users should report the breach to their IT security team so the account can be suspended and its access rights removed.
In the case of a personal account, users should report to the service provider, such as a bank, insurance provider, or e-commerce retailer. Users should also notify credit monitoring agencies such as TransUnion or Experian to monitor their credit profile for fraudulent activity.
Recovering compromised accounts and preventing future attacks
In some cases, it may be possible to recover compromised accounts. If IT teams act quickly, they may be able to limit the damage done and restore access to legitimate users. While third-party service providers may also be able to recover account data, users may be held responsible for any purchases made or financial transfers conducted unless they can show proof that the account was compromised.
While it's not possible to eliminate the risk of credential threats, the fear and frustration that comes with compromise can spur users to seek out preventative methods for future attacks.
Preventing Credential Theft
People are the key components in preventing credential theft. As noted by the Verizon data, 68% of breaches now involve a "non-malicious human element, like a person falling victim to a social engineering attack or making an error."
In other words, humans remain the weakest link. It's not a question of intent or malice; it's human nature. Unlike machines, humans make mistakes when they're tired, hungry, or bored. And unlike machines, humans can be swayed by social interactions that appear legitimate but have the goal of causing harm.
Best practices for securing personal credentials
The less data shared, the better. When it comes to securing personal credentials, users should avoid writing down passwords or repeating the same passwords across multiple services. In addition, users should not share passwords with friends, family, or other staff members. While their intentions may be good, their actions can still put accounts at risk.
Importance of strong and unique passwords
Strong and unique passwords can help reduce the risk of credential theft. Secure passwords include those with 8 characters or more that contain at least one letter, one number, and one symbol, and don't repeat any of these characters more than twice in a row. Users may also choose to create a passphrase which is a combination of three or four words that don't form a logical sentence but are easily remembered.
For example, a user might choose the phrase "cheese hat basketball rain" (without the spaces). While the phrase means nothing on its own, users can create a large context around it, such as "when I eat cheese I wear a hat, and then play basketball in the rain." Because these phrases aren't repetitive or tied to typical sentence constructs, they're harder for brute-force attacks to crack.
Using two-factor authentication to enhance security
Two-factor authentication (2FA) can also enhance credential security. Two-factor security requires users to provide an additional piece of data — also called a "factor" — before they can access services or accounts. Common examples of second factors include one-time text codes, USB keys, or biometric identifiers such as fingerprints.
Protecting Your Organization from Credential Theft
Organizations can also take steps to protect themselves from credential theft.
Recognizing phishing attempts and social engineering tactics
First, enterprises need to educate staff about common phishing and social engineering tactics. This should involve both classroom training and practical exercises. For example, IT teams can create "phishing" emails that are sent to staff — if anyone takes the bait, teams can carry out follow-up training.
Understanding the dark web and its role in credential theft
It's also important for companies to understand the role of the dark web in credential theft. The dark web is typically used as a credential repository: Criminals steal credential data and post it for sale on the dark web. Other attackers buy this data and use it to compromise systems. As a result, stolen credentials may not be used immediately. Instead, it could be weeks or months before a compromise occurs.
Staying updated on the latest security threats
Security threats aren't static. To stay ahead of attackers, companies should ensure all software is regularly updated and follow security news websites to stay informed about emerging threats.
Protecting Your Credentials with LastPass
LastPass can help protect credentials and prevent credential theft.
Overview of LastPass password manager
With the LastPass password manager, your passwords are stored in an encrypted password vault. The vault is protected by zero-knowledge encryption, which means you're the only one who can access your stored passwords. Only your master password can be used to unencrypt the vault.
How LastPass safeguards your credentials
In addition to storing your credentials in a secure password vault, LastPass can autofill these passwords into trusted sites. Not only does this save time, but it reduces the risk of credential theft since LastPass won't autofill unless sites are deemed safe.
Benefits of using LastPass to prevent credential theft
LastPass offers over 100 customizable security policies to personalize authentication, user management, and access controls. In addition, the LastPass password generator helps ensure that accounts and services are protected by strong and unique passwords. The LastPass security dashboard, meanwhile, summarizes potential risks that users can act on, such as weak or reused passwords or emails that were found via dark web monitoring.
Credentials provide access to key applications and services, making them a top target for malicious actors. Keep credentials safe and reduce the risk of compromise with strong passwords, two-factor authentication, and secure password management solutions.
Keep credentials safe with LastPass. Start your free trial today.
