Threat Tuesday: Stolen Credentials – The Gift That Keeps On Giving


How many times do you enter a username and password online every day? 10? 20? More? Passwords remain the universal choice for authentication on the Web. But, these strings of numbers, letters and symbols can be dangerous if they fall into the wrong hands.

In more than two thirds of data breaches, stolen credentials are found to be at fault. Lists of millions of usernames and passwords are collected by hackers, and then bought and sold on the “dark web” — virtual underground marketplaces. Other lists are simply released to the public, free for anyone to attempt “password spraying” attacks against thousands of websites.

Or, credentials stolen in one security breach can be used for further attacks against the same organization. In several recent cyberattacks, hackers were found to be actively searching the network for credentials to steal. These credentials can be used later to access things like banking sites, cloud service portals, company social media accounts, and more.

Security researcher Brian Krebs says:

“Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.”


How can you protect against credential theft? One way is to make sure to use strong, unique passwords for different online services — and using a password manager can help. Another way is to enable two-factor authentication anywhere it’s available.

Passwords can also be lifted from old hard drives and other discarded equipment. So choose a trusted ITAD provider, like CyberCrunch, to securely dispose of your unwanted electronic equipment and protect your credentials.