Credential theft is a type of cybercrime that involves stealing a victim's proof of identity. Once credential theft has been successful, the attacker will have the same account privileges as the victim. Stealing credentials is the first stage in a credential-based attack.
Credential theft allows criminals to reset passwords, lock the victim out of the account, download private data, gain access to other computers in the network or wipe the victim’s data and backups. Cybercriminals can also gain remote access to systems by using legitimate passwords to log into third-party services such as Dropbox, DocuSign, Microsoft Office365 and other services that organizations use regularly for business operations.
Addressing credential theft, reuse and subsequent suspicious logins should be a high priority for both small and large organizations. Stolen credentials have been behind some of the largest and most costly data breaches, including the Equifax, U.S. Office of Personnel Management and Yahoo hacks. Industrial control systems and other critical infrastructure are also vulnerable to credential-based attacks.
Credential theft and the dark web
Criminals can purchase stolen credentials on the dark web, an encrypted portion of the internet that is not indexed search engines. Have I Been Pwned (HIBP) is a website that allows users to search and find out if an email address’s password has been compromised by data breaches. The service is a popular and commonly-used tool in IT security and can be useful for individuals who want to know if their online credentials have been stolen.
How credentials are stolen
Credentials can be extracted in the form of hashes, tickets or even plaintext passwords. To deceive employees, attackers often use phishing, which is inexpensive and efficient. Phishing is based on human interaction, unlike malware and exploits, which depend on vulnerabilities in security defenses. Credentials can also be exposed in other ways, including guessing, brute-force attacks or credential leaks.
In corporate credential theft, attackers scour social media sites to find the contact information of users whose credentials will grant access to critical data and information. The phishing emails and websites used in corporate credential theft are more advanced than those used for consumer credential theft. Attackers make the emails and websites look the same as actual corporate applications and communications.
How to prevent credential theft
Consumers' best protection against stolen credentials being used against them is to regularly change passwords and use multi-factor authentication wherever possible.
- Replace single-factor authentication (SFA) with two-factor authentication (2FA), which makes accounts less susceptible to phishing.
- Train employees on how to create strong passwords and detect phishing or spear-phishing
- Follow privileged access management (PAM) best practices.
- Limit corporate credentials to approved applications
- Block usage from unlikely or unknown applications and websites.
- Keep operating systems and devices up to date.
- Conduct regular vulnerability assessments.
- Use encryption, endpoint security and traffic monitoring tools.