How Do Cybercriminals Steal Credentials?

by | Apr 8, 2022 | Blog, Executive Shield

Cybercriminals have access to billions of email and password combinations on the dark web. There are many ways user credentials can end up being auctioned off on the black market. Finding out that your users’ credentials have been leaked is anxiety-producing, to say the least. Especially considering that many people use the same password or password variations for personal and professional accounts.

How can you ensure that your company’s credentials never show up on one of those lists? And if it ever does happen, what can you do to mitigate the risk? How can you protect your network and protected infrastructure from further harm?

How Do Cybercriminals Obtain Leaked Password Credentials?

There are many ways that cybercriminals can access leaked credentials. Whether they are obtained through phishing or brute forcing, the leaked credentials will likely end up on the dark web.


Here are 6 common ways that cybercriminals can obtain leaked credentials:

  1. Phishing Attacks: Cybercriminals posing as a trusted acquaintance, personal or business, will send a link through text or phishing email. When the malicious link is accessed, malware could be downloaded to your device. From there, personal or confidential company information could be elicited and stolen.
  2. Malware: There are many ways you can encounter malware. The most common ways are through visiting a legitimate-looking website containing malware or by clicking a malicious link or advertisement. Once on your device, some malware can take screenshots or log your keystrokes while you are entering usernames and passwords.
  3. Brute Force Attacks: These attacks occur when a cybercriminal with access to one user’s password tries to use the same password on other accounts. This can be effective if a person utilizes the same password across multiple accounts.
  4. Guesswork: Some passwords are weak and can be easily guessed. Also, when different platforms are set up, generic passwords like “admin123” can expedite access. Cybercriminals know this and will try common passwords (like “password” or “123456”) in hopes of correctly guessing them.
  5. Credential Based Attacks and Credential Stuffing: Attackers will feed huge amounts of data that has been previously breached through software. This software will try username and password combinations across a myriad of sites in hopes of finding a match.
  6. Insider Threats: Valid credentials can also be compiled into lists and sold by unethical employees or contractors. This approach is often facilitated by cybercriminals wanting sensitive data. They entice individuals to engage in unethical behavior for financial gain.

Where Do Cybercriminals Buy Stolen Passwords and Stolen Credentials?

According to Akamai, there were approximately 193 billion credential stuffing attack attempts in 2020. The majority of these were targeted at financial institutions, healthcare, and retail institutions.

“3.4 billion hitting financial services organizations alone – an increase of more than 45% from the previous year. Akamai also observed nearly 6.3 billion web application attacks in 2020, with more than 736 million targeting financial services – which represents an increase of 62% from 2019.”

If you searched the dark web for leaked credentials, you would find billions of email address and password combinations for sale. Most often, leaked credentials are compiled into lists based on industry. The price of the information correlates directly to the value associated with each specific sector. It will come as no surprise that credentials stolen from financial institutions and healthcare providers are among the most expensive. Social media and other credentials are some of the least valuable.

My Executive’s Credentials Have Been Leaked. Now What?

Finding out that your executive’s credentials have been leaked is unfortunate, frightening, and often very costly. However, it is even more problematic when credential theft has occurred. In many cases, the credentials have been leaked, but the organization is unaware of the exploit. And you can’t take action if you don’t know something has happened.


Here are 4 steps you can take to protect your enterprise:

  1. Become aware: Google Chrome’s Password Checker and Have I Been Pwnd are two programs that detect whether you’ve been compromised in a data breach. They just need your email or phone number.
  2. Don’t reuse passwords: If the person uses unique passwords, then the risk could be minimal and easily corrected with a password reset. However, if the individual reuses passwords for several online accounts, cybercriminals may gain access to multiple accounts using the same credentials.
  3. Enact an employee password reset protocol: You should have a protocol in place within your company that allows you to reset all account details accessible by employees. In addition to this protocol, you should set strong password parameters that will make a password breach or account takeover less likely to occur.
  4. Use a password manager: There are several password tools available on the market. These tools store encrypted passwords online in an easy-to-use interface. From browser plugins to smartphone apps, there are many ways to securely manage multiple complex, easy to forget, and hard to type passwords.

How Can I Create Better Cyber Hygiene to Combat a Credential Leak?

Prevention is the best medicine. If you help your employees practice good cyber hygiene habits now, you can reduce the risk of future credentials leaks.

Here are 8 ways to help protect your business:

  1. Employee Training and Awareness: Ensure that your employees understand how important their password strength and uniqueness are to overall company cybersecurity defense. This can also help increase awareness of spear phishing attempts.
  2. Enact a Strong Password Policy: When possible, don’t let your employees leave the password reset webpage until they have chosen a strong password. You may also consider regularly scheduled forced password rotations.
  3. Monitor Password Dumps: You can stay ahead of the game and monitor leaked security breaches for employee credentials. By staying one step ahead, you can either take down the threat actor or proactively change the credentials of affected users.
  4. Use Threat Actor Behavior Analytics: Determine how compromised passwords were leaked in the past. Are there certain behaviors of an employee that should be concerning? Are there “usual suspects” within your organization who maintain poor cyber diligence? Identify them and educate them.
  5. Executive Password Management: Extra protective steps can be taken for CXO and executive employees. Protection can be added to mobile devices for individuals that log in to their work accounts while traveling.
  6. Install Reputable Antivirus and Malware Software: Antivirus is an important part of cyber hygiene. Regular scans for malware and other malicious programs can ward off harmful viruses.
  7. Use Multi factor Authentication: Two and three-factor authentication provides added layers of protection. Biometrics, including fingerprint and facial recognition, are especially helpful.
  8. Regularly Update Apps and Software: Using outdated versions of apps and software open you up to more security risks. Keeping systems updated and patched ensures maximum security.

You don’t have to do it alone. If and when protecting your enterprise and sensitive information becomes a challenge, engage security experts. Managed intelligence services can help bridge the gap between your internal talent and the demands of the ever-evolving threat landscape.

About Nisos®

Nisos is The Managed Intelligence Company™. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.