If we had a nickel for every time someone asked us the difference between leaked credentials and compromised accounts… Well, we’d be able to treat the team to a packet of Oreos one of these days.
Why does it matter? Well, according to CISA, 54% of cyberattacks involve the use of valid accounts. As a result, understanding the risk of compromised accounts and leaked credentials is critical.
This article tackles the terms head-on, and discusses how threat actors get their hands on sensitive account details, diving deep into the different types of vulnerability and what they mean for protecting your organization.
What are Leaked Credentials?
Leaked credentials are passwords and usernames that have been stolen or compromised, and are often traded in cybercrime markets. Leaked credentials usually originate from third-party breaches and compromised databases, where an organization is compromised, and data about its users is leaked. These leaked credentials can then be used by threat actors to launch identity theft attacks, or to gain a foothold into an organization. Leaked credentials can be varied in what they include, for example they can include PII, but by definition — all leaked credentials belong to the same organization, and so the scope is limited. Many third-party breaches will result in passwords stolen that are not in cleartext — and therefore are more difficult to use by an attacker.
KELA Highlight: Using KELA, you can search our database for a specific organizational domain, and query against our comprehensive data lake, which stores billions of email-password-metadata data points.
What are Compromised Accounts?
In contrast, compromised accounts are not third-party leaks, they are first-party leaks. Compromised accounts are credentials stolen from machines that have been infected by information stealers to obtain data. As individual machines are targeted in their entirety, a single compromised machine can unlock credentials to hundreds of websites that are used by the owner of the machine. Unlike with an organizational data breach, when an infostealer infects a machine, they can often steal and relay a larger variety of data, including session cookies, autofills from web browsers, and more. Another key difference is that credentials harvested by infostealers are in plaintext, which makes them far more usable than those stolen from a third-party attack.
KELA Highlight: The KELA platform provides access to data gathered by infostealing malware from various botnet markets. We present credentials gathered from log clouds and many other sources, and also alert on new market entries to facilitate takedowns without exposing the credentials.
Know Your Bots: Botnet Markets vs Bot Dumps or Clouds of Logs
Just like any market worth its salt, botnet markets sell tempting products at competitive prices. In this case, it’s less strawberries, jewelry and iPhone covers, and more usernames and passwords. Once purchased, threat actors may have everything they need to launch an attack. Examples of botnet markets are Russian Market, and 2easy, which is responsible for the sale of over 1.88 million logs since 2020.
While these markets offer an à la carte access to a vast menu of leaked credentials and compromised accounts, it turns out even criminals can’t resist the subscription economy. Today, it’s becoming popular for threat actors to sign up for weekly or monthly access to “clouds of logs”, where criminals send a “bot dump” of everything they have every single day, generally via Telegram, and harvested from a wide range of infostealers.
Although Botnet markets let criminals be specific about their targets — choosing logs by geographic location, operating systems or domain before they part with their hard-earned cash, the sheer quantity of data at a low price can make signing up to receive clouds of logs too good a deal to resist. This approach also provides the added benefit of allowing criminals to try out different techniques or entry vectors.
Think about it like your movie viewing habits. Sometimes you’ll pay extra to pick the exact blockbuster you want to see on the big screen, but you probably wouldn’t give up your Netflix subscription, where you can browse through their offering and find a great watch that you’d never heard of before.
Remember, when monitoring subscription services vs botnet markets, everyone who signs up to access clouds of logs sees all of the logs. In contrast, with a botnet market — you can buy the details and in so doing, potentially stop them from being able to be accessed by anyone else.
Prevention and Response: Protecting Against Account Compromise and Leaked Credentials
As more than half of cyberattacks use valid accounts and credentials, there are a number of best practices that can partially protect against the use of leaked credentials and often secure compromised accounts. In some cases, it may be within your control to help make the data being stolen by account compromise tactics unusable.
First up, make sure you’ve implemented multi-factor authentication. This means that even if there is an account compromise, access is more difficult. Rotate passwords regularly, and put a policy in place to make sure employees periodically change their details, too. (Don’t forget to remind them that changing their password from Password1! to Password2! won’t win them any employee of the month awards.)
Next, as soon as employees leave the organization, delete their credentials from the system. We mean it, even while there is still goodbye cake left in the kitchen. Without robust employee exit processes, you’re welcoming attackers with open arms. Similar processes need to be put in place when employees change roles, or when test user accounts are created which are only needed for a limited time period. Without robust security procedures, organizations can fall victim to attacks like the recent Midnight Blizzard attack against Microsoft, where attackers gained a foothold by compromising a legacy non-production test tenant account.
Unfortunately, these methods are not always foolproof. Certain elements found in a bot file, such as cookies, can allow a threat actor to bypass methods such as MFA and gain initial access to a critical business service.
As a result, the ultimate best practice is to make sure you have a way to continually monitor criminal activities, so you’re two steps ahead of the latest TTPs, threat groups, and accounts that may be compromised. With continual intelligence, you can ensure immediate incident response measures on the customer side to mitigate the risk of any infected machine.