Posts exploring how attackers steal usernames, passwords, and authentication tokens through phishing, keylogging, brute force attacks, and credential stuffing. Includes actionable guidance on multi-factor authentication, password managers, and monitoring for compromised credentials.
posts
In 2023, a single reused password gave threat actors access to 23andMe's credential-stuffing attack, exposing the genetic data of nearly 7 million users. The attackers didn't exploit some exotic zero-day vulnerability. They just tried stolen username-password pairs from other breaches — and millions of them worked. If
A Single Stolen Password Cost This Company Everything In May 2021, a single compromised password shut down Colonial Pipeline and triggered fuel shortages across the U.S. East Coast. The attackers used a leaked VPN credential — one that had no multi-factor authentication protecting it. That one missing layer of security
The 24 Billion Stolen Passwords Sitting on the Dark Web Researchers at Digital Shadows found over 24 billion username-and-password combinations circulating on dark web marketplaces. That number keeps climbing. If you're still asking why use a password manager, the stolen credential economy already answered for you — your reused
The 80% Problem Nobody Wants to Talk About The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past decade — and that human-element breaches, including credential theft and phishing, accounted for nearly 68% of incidents in their latest dataset.
The Threat Already Inside Your Building In 2022, a former employee at Cash App's parent company, Block, downloaded reports containing the personal information of 8.2 million customers — months after leaving the company. Block disclosed the breach in an SEC filing, and lawsuits followed. The attacker didn'
In 2022, a former employee at Cash App's parent company, Block Inc., downloaded reports containing the personal information of over 8 million customers — months after they'd left the company. The access was never revoked. No alarm was triggered. The breach wasn't discovered until the
One Employee Stole Data for Profit. The Other Just Clicked the Wrong Link. In 2022, a former employee of a major healthcare organization was sentenced to federal prison for stealing patient records and selling them. That same year, the Verizon Data Breach Investigations Report found that 82% of breaches involved
In early 2024, a finance employee at a multinational firm in Hong Kong joined a video call with what appeared to be the company's CFO and several colleagues. Every person on the call was a deepfake. The employee transferred $25.6 million to threat actors before anyone realized
In 2023, the FBI's Internet Crime Complaint Center flagged Remote Desktop Protocol (RDP) as one of the top three initial access vectors for ransomware incidents. That wasn't a surprise to anyone who monitors Shodan — the search engine that indexes internet-facing devices. On any given day, you
A Single Misconfigured S3 Bucket Exposed 3 Billion Records In 2023, researchers at Cybernews discovered what they called one of the largest data exposures ever — over 3 billion records sitting in an open cloud storage instance. No sophisticated hack. No zero-day exploit. Just a misconfigured Amazon S3 bucket with public
