{“lastseen”:”2025-08-08T11:07:37″,”description”:”\\n\\nWhen an organization’s credentials are leaked, the immediate consequences are rarely visible\u2014but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password.\\n\\nAccording to Verizon’s 2025 Data Breach Investigations Report, leaked credentials accounted for 22% of breaches in 2024, outpacing phishing and even software exploitation. That’s nearly a quarter of all incidents, initiated not through zero-days or advanced persistent threats, but by logging in through the front door.\\n\\nThis quiet and persistent threat has been growing. New data compiled by Cyberint\u2014an external risk management and threat intelligence company recently acquired by Check Point\u2014shows a 160% increase in leaked credentials in 2025 compared to the previous year. The report, titled _The Rise of Leaked Credentials_ , provides a look into not just the volume of these leaks, but how they are exploited and what organizations can do to get ahead of them. It’s worth reading in full for those responsible for risk reduction.\\n\\nRead the Report: _The Rise of Leaked Credentials_\\n\\n## A Surge Fueled by Automation and Accessibility\\n\\nThe rise in leaked credentials is not just about volume. It’s also about speed and accessibility. In one month alone, Cyberint identified more than 14,000 corporate credential exposures tied to organizations whose password policies were still intact\u2014implying active use and real threat potential.\\n\\nAutomation has made credential theft easier. Infostealer malware, often sold as a service, allows even low-skilled attackers to harvest login data from browsers and memory. AI-generated phishing campaigns can mimic tone, language, and branding with uncanny accuracy. Once credentials are gathered, they are either sold on underground marketplaces or offered in bundles on Telegram channels and illicit forums.\\n\\nAs outlined in the ebook, the average time it takes to remediate credentials leaked through GitHub repositories is 94 days. That’s a three-month window where an attacker could exploit access, undetected.\\n\\n## How Credentials Are Used as Currency\\n\\nLeaked credentials are currency for attackers\u2014and their value goes beyond the initial login. Once obtained, these credentials become a vector for a range of malicious activity:\\n\\n * **Account Takeover (ATO):** Attackers log into a user’s account to send phishing emails from a legitimate source, tamper with data, or launch financial scams.\\n * **Credential Stuffing:** If a user reuses passwords across services, the breach of one account can lead to others falling in a chain reaction.\\n * **Spam Distribution and Bot Networks:** Email and social accounts serve as launchpads for disinformation, spam campaigns, or promotional abuse.\\n * **Blackmail and Extortion:** Some actors contact victims, threatening to expose credentials unless payment is made. While passwords can be changed, victims often panic if the extent of the breach isn’t clear.\\n\\n\\n\\nThe downstream effects aren’t always obvious. A compromised personal Gmail account, for example, may give attackers access to recovery emails for corporate services, or uncover shared links with sensitive attachments.\\n\\n\\n\\n## Seeing What Others Miss\\n\\nCyberint, now part of Check Point, uses automated collection systems and AI agents to monitor a wide range of sources across the open, deep, and dark web. These systems are designed to detect leaked credentials at scale, correlating details like domain patterns, password reuse, and organizational metadata to identify likely exposure\u2014even when credentials are posted anonymously or bundled with others. Alerts are enriched with context that supports rapid triage, and integrations with SIEM and SOAR platforms enable immediate action, such as revoking credentials or enforcing password resets.\\n\\nThen, Cyberint’s analysts step in. These teams conduct targeted investigations in closed forums, assess the credibility of threat actor claims, and piece together identity and attribution signals. By combining machine-driven coverage with direct access to underground communities, Cyberint provides both scale and precision\u2014allowing teams to act before leaked credentials are actively used.\\n\\nCredential leaks don’t only occur on monitored workstations. According to Cyberint data, 46% of the devices tied to corporate credential leaks were not protected by endpoint monitoring. These include personal laptops or unmanaged devices where employees access business applications, which can serve as blind spots for many teams.\\n\\nCyberint’s threat detection stack integrates with SIEM and SOAR tools, allowing automated responses like revoking access or forcing password resets the moment a breach is identified. This closes the gap between detection and action\u2014a crucial factor when every hour counts.\\n\\nThe full report dives deeper into how these processes work, and how organizations can operationalize this intelligence across teams. You can read the full report here for details.\\n\\n## Exposure Detection Is Now a Competitive Advantage\\n\\nEven with secure password policies, MFA, and modern email filtering, credential theft remains a statistical likelihood. What differentiates organizations is how fast they detect exposure and how tightly their remediation workflows are aligned.\\n\\nTwo playbooks featured in the ebook show how teams can respond effectively, both for employee and third-party vendor credentials. Each outlines procedures for detection, source validation, access revocation, stakeholder communication, and post-incident review.\\n\\nBut the key takeaway is this: proactive discovery matters more than reactive forensics. Waiting for threat actors to make the first move extends dwell time and increases the scope of damage.\\n\\nThe ability to identify credentials shortly after they appear in underground forums\u2014before they’ve been packaged up or weaponized in automated campaigns\u2014is what separates successful defense from reactive cleanup.\\n\\nIf you’re wondering whether your organization has exposed credentials floating in the deep or dark web, you don’t need to guess. You can check.\\n\\nCheck the Open, Deep and Dark Web for Your Organization’s Credentials Now\\n\\n## Mitigation Isn’t Just About Prevention\\n\\nNo single control can fully eliminate the risk of credential exposure, but multiple layers can reduce the impact:\\n\\n * **Strong Password Policy:** Enforce regular password changes and prohibit reuse across platforms.\\n * **SSO and MFA:** Add barriers beyond the password. Even basic MFA makes credential stuffing far less effective.\\n * **Rate Limiting:** Set thresholds for login attempts to disrupt brute-force and credential spraying tactics.\\n * **PoLP:** Limit user access to only what’s needed, so compromised accounts don’t provide broader entry.\\n * **Phishing Awareness Training:** Educate users about social engineering techniques to reduce initial leaks.\\n * **Monitoring Exposure:** Implement detection across forums, marketplaces, and paste sites to flag mentions of corporate credentials.\\n\\n\\n\\nEach of these controls is helpful, but even together, they aren’t enough if exposure goes unnoticed for weeks or months. That’s where detection intelligence from Cyberint comes in.\\n\\nYou can learn more methods by reading the full report.\\n\\n## Before the Next Password is Stolen\\n\\nIt’s not a matter of if an account associated with your domain will be exposed\u2014it’s already happened. The real question is: has it been found?\\n\\nThousands of credentials tied to active accounts are currently being passed around marketplaces, forums, and Telegram chats. Many belong to users who still have access to corporate resources. Some are bundled with metadata like device type, session cookies, or even VPN credentials. Once shared, this information spreads fast and becomes impossible to retract.\\n\\nIdentifying exposures before they’re used is one of the few meaningful advantages defenders have. And it starts with knowing where to look.\\n\\nThreat intelligence plays a central role in detection and response, especially when it comes to exposed credentials. Given their widespread circulation across criminal networks, credentials require focused monitoring and clear processes for mitigation.\\n\\nCheck if your company’s credentials are exposed across the open, deep, and dark web. The earlier they’re found, the fewer incidents there will be to respond to later.\\n\\n\\n\\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-08-08T11:00:00″,”modified”:”2025-08-08T11:00:00″,”type”:”thn”,”title”:”Leaked Credentials Up 160%: What Attackers Are Doing With Them”,”source”:””,”references”:””,”id”:”THN:03897EB8E9E057EF190B0D14A10C3F80″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/08\/leaked-credentials-up-160-what.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-08T11:07:37″,”description”:”\\n\\nWhen an organization’s credentials are leaked, the immediate consequences are rarely visible\u2014but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-10134","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n