What is credential theft?
Credential theft is a type of cybercrime that involves stealing a victim's proof of identity. Once credential theft has been successful, the attacker will have the same account privileges as the victim. Stealing credentials is the first stage in a credential-based attack.
Credential theft allows criminals to reset passwords, lock victims out of their accounts, download private data, gain access to other computers in the network or wipe the victim’s data and backups. Cybercriminals can also gain remote access to systems by using legitimate passwords to log into third-party services such as Dropbox, DocuSign and Microsoft 365.
Addressing credential theft, reuse and subsequent suspicious logins should be a high priority for organizations of all sizes. Stolen credentials have been behind some of the largest and most costly data breaches, including the Equifax, U.S. Office of Personnel Management and Yahoo hacks. Industrial control systems and other critical infrastructure are also vulnerable to credential-based attacks.
Credential theft and the dark web
Criminals can purchase stolen credentials on the dark web, an encrypted part of the internet that is not indexed by search engines. Cybercriminals often use Have I Been Pwned (HIBP) to find user credentials that have been stolen and leaked onto the internet. Individuals can also use the service to discover if their credentials have been stolen.
How are credentials stolen?
Credentials can be extracted in the form of hashes, Kerberos tickets or even plaintext passwords. To deceive employees, attackers often use phishing, which is inexpensive and efficient. Phishing, a form of social engineering, is based on human interaction, unlike malware and exploits, which depend on vulnerabilities in security defenses. Credentials can also be exposed in other ways, such as guessing, brute-force attacks or credential leaks.
In corporate credential theft known as business email compromise (BEC), attackers scour social media sites to find the contact information of users whose credentials will grant access to critical data and information. The phishing emails and websites used in corporate credential theft are more advanced than those used for consumer credential theft. Attackers make the emails and websites look the same as legitimate corporate applications and communications.
How to prevent credential theft
Consumers' best protection against stolen credentials is follow password hygiene best practices, including the following:
- Replace single-factor authentication (SFA) with two-factor authentication (2FA) or multifactor authentication (MFA), which make accounts less susceptible to phishing.
- Use strong passphrases instead of passwords.
- Use different logins for each account, website and application.
In the workplace, organizations should do the following to prevent credential theft:
- Train employees how to create strong passwords and detect phishing or spear-phishing.
- Create and implement a password policy.
- Follow privileged access management (PAM) best practices.
- Limit corporate credentials to approved applications.
- Block usage from unlikely or unknown applications and websites.
- Keep operating systems (OSes) and devices up to date.
- Conduct regular vulnerability assessments.
- Use encryption, endpoint security and traffic monitoring tools.