The threat of stolen credentials: What organizations need to know

Organizations and websites are suffering cybersecurity incidents on a daily basis, some of them leading to the compromise of customers’ data. Compromised data frequently include lists of usernames and passwords, which allow the bad actors who possess them to access online resources such as websites and mobile applications. These passwords are then traded and sold on the internet, mostly on dark web marketplaces, but also on publicly accessible websites. Some of these password lists can be bought for as little as $5.

Password data can be big business. According to several studies, an average person can have more than 150 different online accounts. Due to insufficient security awareness, most people use the same password for several accounts, both personal and professional. In many cases, they may even utilize re-used passwords for publicly exposed sensitive applications and remote connections like a VPN or Citrix. Thus, a compromised personal account password, even from a site such as dailyquizz.me, can provide threat actors with valid credentials for accessing an organization’s systems remotely. Moreover, nowadays, passwords can be easily mis-shared or guessed, especially with the abundance of information available on the public Internet.

It is relatively easy and cheap for threat actors to perform credential stuffing attacks, which are large-scale automated login requests using stolen credentials. These attacks are often difficult to detect by IT security teams, as the threat actor is actually using valid usernames and credentials rather than brute force attacks.

The impact of such an attack depends on the type of data or access of the compromised accounts. It can vary from accessing a magazine subscription, to remotely accessing an organization’s information systems using privileged access. Fortunately, there are several ways your organization can protect against this risk.

Enable MFA is the most important thing

The concept behind multifactor authentication (MFA) is not a new one. Before keys were invented (over 6,000 years ago), you needed to identify yourself with a secret message before getting access to an important meeting room. Years later, and as humans discovered how easy it to find or guess a secret message, keys were invented. The advent of the key represented the first versions of 2-FA (two-factor authentication): something you knew (the location of the door), and something you had (a physical key).

We can apply the same concept for IT nowadays. However, the part that you know (username and password) can also be known by multiple threat actors. So, to secure access, authentication should also rely on something you have. In its most basic form, MFA can be based on two factors only: Something you know (a password or a pin code) and something you own, which can include a mobile phone with a SIM card, a code generated on physical token or software installed on your mobile device, an enterprise enrolled device, etc.

MFA is a very efficient way to protect your account from attacks. Even if a threat actor gets access to a valid password, the second factor of your MFA would prevent them from using it to connect to your online accounts. There are few possible techniques to bypass MFA, however, most of them are difficult to execute due to their complexity.

Though rare, we are seeing more and more MFA bypass-related incidents, especially after advanced phishing tools were made publicly available.

There have been two major incidents during which MFA was recently bypassed. The first was an Uber hack, for which the attacker first gained access to company systems by targeting an individual employee and repeatedly sending them MFA push notifications. After more than an hour, the threat actor contacted the same employee on WhatsApp pretending to be an Uber IT support employee and saying that the MFA notifications would stop once the target approved the login. The second was a Twilio hack incident, in which employees were redirected to fake login pages via SMS. This allowed the threat actor to retrieve the MFA tokens and use them to connect remotely.

Not all MFA solutions offer the same level of security. In most cases, MFA-bypass incidents exploit weak configuration practices that can be fixed by changing the default configuration. However, weaker MFA solutions can be made more secure with proper configuration.

Security awareness & secure password hygiene are also essential

Security awareness remains key for helping individuals adopt best practices when handling passwords. Best practices include using unique, long and/or complex passwords that cannot be guessed based on information that can be found on the Internet like a user’s first name, last name, company name, or address. A personal password manager (such as Bitwarden, which is free and open source) provides an individual with an easy way to generate and store a unique and complex password for each of their online accounts.

Organizations that do not expect employees or customers to connect from specific locations, can control remote connections coming from other countries, regions or continents by implementing geo-location restrictions. Based on the location and on the time of the connection, an organization can decide whether to block a connection or to require additional verifications using a third factor such as a link sent by email, a question with a pre-configured secret answer, a phone call, or a notification on a mobile device.

Monitoring leaked credentials is another way that companies and individuals alike can practice secure password hygiene. Some organizations that have suffered a data breach take the effort to notify customers and employees who were impacted by the incident, however others don’t. Knowing when your data or passwords are leaked can be useful as it allows you to take appropriate action when needed, for example changing a password that is used for several accounts, enabling MFA if not enabled or alerting your bank if your credit card number has been stolen. There are websites that allow individuals to know if their data has been disclosed in publicly known breaches.

Password managers (including Google Chrome’s password manager) are starting to offer functionalities that allow users to know if their passwords are found in a disclosed password leak, and these are often offered for free. Furthermore, specialized service providers offer services that notify organizations when their data is found on the dark web, sometimes even before the breach is publicly disclosed. This service is often called “Dark Web Monitoring.”

As bad actors continue to prey on easy victims, security techniques like implementing secure MFA and practicing secure password hygiene are essential risk management components for every organization. Educating yourself and your colleagues about the latest risks and taking steps to mitigate them is well worth the time and effort.

Jad Nehmé is a cyber services manager with Beazley’s cyber services team — international. He is based in France and supports Beazley’s clients during a cybersecurity incident or a data breach. He also assists clients with privacy and cybersecurity risk management as well as preventive controls. Prior to joining Beazley, Jad held roles at Alcatel-Lucent and KPMG covering both the technical and organizational aspects of cyber security.

Opinions expressed here are the author’s own.

Related:

• The new era of digital risks for small businesses
• NHTSA releases updated vehicle cybersecurity best practices
• 5 factors contributing to company cyber risks