Glossary Term

Credential Theft

Credential theft is a cybercrime involving the unlawful attainment of an organizations’ or individual’s password(s) with the intent to access and abuse/exfiltrate critical data and information. Often an early stage of a cyber-based attack, credential theft enables attackers to operate undetected throughout a network, reset passwords and wreak havoc within an organization.

Understanding Credential Theft Techniques

Overall, cybercriminals have become extremely sophisticated and specific when targeting organizations and their users. They often work to identify the users and their device(s) that will provide access to an influx of sensitive and highly confidential data, such as financials. Credential-based attacks open the door for more repeatable attacks, as they allow threat actors to take on the personality of an individual that is authorized to access targeted data, making every attack an insider threat.


Due to the lack of adoption of multi-factor authentication and poor password best practices, the number of credential thefts by way of phishing has grown exponentially. Phishing attacks are often carried out when a cybercriminal poses as part of the users’ social or professional networks – either as an individual or entity, such as a bank – and directs targets to enter personal information at a fraudulent website that matches the looks of the legitimate site. Additionally, attackers oftentimes use phishing attacks to plant malware on systems and gain full unauthorized access to sensitive data.

Types of phishing include spear phishing, whaling and clone phishing.

  • Spear phishing involves the targeting of specific organizations or individuals to steal sensitive information such as account credentials. In this type of attack, hackers disguise themselves as trustworthy identities and typically access sensitive information via email-spoofing or by infiltrating other online messaging systems.
  • Whaling is a type of spear phishing attack aimed at C-suite executives within an organization and often impersonate customer complaints or personal issues.
  • Clone phishing is carried out by stealing a previously delivered email containing an attachment and/or link and then using it to create a similar or “cloned” email with the intent of gaining access to privileged credentials. Within these, the attachments/links are replaced with malicious versions and the email address is slightly altered to deceive the recipient.


Malware attacks are one of the most well-known credential theft techniques. Designed to disrupt and gain unauthorized access to an organization’s network, malware is comprised of malicious programs including spyware, computer viruses, Trojan horses or worms. All of which are designed to perform a variety of unauthorized functions—including stealing credentials through techniques like keystroke monitoring.

Brute Force Attacks

When a cybercriminal launches a brute force attack to carry out credential theft, they are utilizing a trial and error method to identify valid login credentials via application programs. While simple to explain, brute force attacks are inherently difficult to protect against because automated software is being used to repetitively guess combinations of usernames and passwords until it is successful. Servers that lack failed attempt monitoring are more susceptible to this type of credential theft, as automated attacks can try thousands of guesses each second.

Weak and Default Credentials

This technique specifically looks for the usage of default credentials for applications, servers and devices like IoT systems. This is especially true for Internet-facing systems. In fact, multiple tools can scan the Internet to find systems like these. A variation of this technique involves systems that specifically use weak or insecure authentication protocols, for instance, HTTP Basic authentication and transmitting credentials in clear text over the wire.

Credential Stuffing

One of the most common credential theft techniques is credential stuffing. A sub-vector of brute force attacks, credential stuffing is an automated attack using bots to test millions of stolen username and password combinations on a targeted website or application. The security industry is seeing an overwhelming increase in credential stuffing attacks because many users have had their login information stolen due to breaches over the years. Attackers count on the reuse of these credentials across multiple applications and websites, and they tend to yield significant profits for attackers.

Application Vulnerabilities

Application vulnerabilities are system flaws that can be exploited, compromising a system’s security. These vulnerabilities open the door to attackers and once determined how to access it, cybercriminals can carry out a credential theft attack by exploiting these vulnerabilities.

Detecting Credential Theft

Identifying credential theft attacks early and mitigating them in seconds is critical when working to protect sensitive data. One approach is to monitor activity and identify use of credentials that violate heuristics e.g. geo-infeasible logins—logins from geographically disparate locations in a relatively short period of time; multiple logins in a short duration of time across the network that clearly appear to be programmatic rather than human initiated; identifying domain and typosquatting attacks that may attempt to look like a corporate application or email system; looking for the use of weak and outdated authentication protocols.

Detecting these kinds of patterns is unfortunately often a manual effort without the right security tools. As a result, it is error prone and time consuming. Further, many tools that simply apply a basic anomaly detection approach to the problem flood the system with false positives thereby adding even more operational overhead for the security team. Advanced network traffic analysis tools that use an ensemble of machine learning approaches are now available that overcome many of these shortcomings and can autonomously hunt for credential theft.

Also See


If you liked what you just read, subscribe to hear about our threat research and security analysis.