What are cybercriminals doing with your stolen passwords?

• Ransom: When sensitive or confidential information is not sold but rather ransomed back to the original owners.

• Threat actors can use compromised email servers to the steal passwords of all the email accounts, harvest information and use the compromised emails to spread malware to other email accounts via phishing.

• Steal passwords from vulnerable databases containing sensitive information of critical entities and usernames and password which would be then posted in dark web for sale.

• Reputational damage, to harm the image of the company.

• Nation-state espionage operations where stolen accounts are used to spy on and obtain sensitive/confidential information from genuine owners.

Phishing: Phishing is one of the most prevalent cyberattacks used by hackers to acquire passwords and other sensitive data. It entails sending an email that contains a malicious link that redirects visitors to a faked website, tricking them into divulging their personal information & passwords. Phishing emails may also include attachments that, when opened, infect computers with malware for stealing enterprise or admin passwords.

Dumpster Diving or User Carelessness: A hacker may be able to steal a user's password due to their negligence. Hackers will be able to see your credentials if you write them down and leave them in plain sight. Some fraudsters will go so far as dumpster diving for usernames and passwords.

Brute Force Attack: A brute force attack is a cryptographic attack that works by guessing all possible password combinations until the correct one is found. To break the weak passwords, hackers frequently use a script, a hacking application, or other ways.

Keyloggers: Keylogging is a method used by cybercriminals to acquire passwords and other sensitive information. The internet users/web surfers would download it from infected websites and phishing emails. Once installed, a keylogger secretly monitors and logs a person's keyboard action and sends it back to the cybercriminal who installed it.

Credential Stuffing: Credential stuffing is when fraudsters utilize programs to flood systems with a variety of exposed/breached usernames and passwords until they locate a match. Cybercriminals are free to steal any information they want once inside a system, including more passwords. Hackers are free to infiltrate these accounts since many users use the same set of credentials for many accounts.

Network Monitoring/ Intercepting Traffic: Another method used by hackers to collect passwords is network traffic monitoring. Cybercriminals can monitor/intercept data on public Wi-Fi networks and obtain passwords with the use of a simple programs.

Hackers can use credentials stolen from data breaches to attack other systems where the same password has been used.

Threat actors can steal credentials through shoulder surfing (observing someone filling in their password).

Theft of a password hash file, from which the original passwords can be recovered by breaking the hash.

The threat actor can guess passwords manually by using personal information such as a person's name, date of birth.

Threat actors can collect administrator passwords from vulnerable servers on the internet or on the internal network, which could lead to lateral movement to other critical servers on the network.

Having poor administrator/account passwords.

Keeping sensitive passwords in a plain text or unencrypted file.

Leaving the publicly exposed servers vulnerable to hackers, which leads to an admin account compromise.

Absence of password policies or not applying the password policies especially in case of password expiry or using the same password for multiple accounts and sharing of credentials among employees.

Using the same password that is allocated for work or for the protection of critical information in accounts on third-party websites. Some third-party sites are targeted and breached by hackers, thus exposing the credentials.

Absence of Awareness in “BEC” Business Email Compromise techniques like the 4 phishing attacks and in such situation the user/IT personnel's email can be targeted.

Even though technology has advanced - such as Google alerting in case of providing the password in an unencrypted website, many users tend do not notice this.

Having vulnerable web servers in their enterprise that are linked to the internal network. Once the webservers are compromised, the attackers may be able to compromise the administrator's password stored on the webservers, allowing lateral movement to other servers.

Lack of security monitoring could lead to unnoticed strange login activities or phishing activities in the organization which could lead to user/administrator password or account compromise.

Negligence to check whether their account`s password has been leaked in a third-party breach.

The following websites can assist you in determining if your domain/email account or password has been compromised at your organization

• ';--have i been pwned? - https://haveibeenpwned.com/

• F-Secure Identity Theft Checker- https://www.f-secure.com/en/home/free-tools/identity-theft-checker

• AVAST HACK CHECK - https://www.avast.com/hackcheck

All the passwords linked to the breached account should be changed.

Notify the IT concerned personnel about your suspicions or the breach & follow your IT Password Policy and best practices to prevent further password compromise and to notify relevant entities about it.

Setup of new accounts, update policies and apply best practices. This can be configuration steps, MFA, awareness programs conducted internally and seek those offered by companies to have a yearly plan and exercises conducted.

As an admin, make it habitual to examine your machine/server for any malwares, web shells or any suspicious files which are not being added by you or the team.

Always include a scanning step in the process and have visual on the network. As different technical levels are involved in the best practices of scanning for security, consider always having a centralized antivirus server for a setup that is greater than 10 pcs.

Install antivirus/end point detection solutions on the compromised machines and all the other machines to have a visual on the health of your machines. Make sure to have the solution receives its updates regularly and a good communication with the solution's support.

Have visual on your network and on your server farm by deploying the right solutions that can protect you from unpatched or zero-day vulnerability.