Posts exploring how attackers steal usernames, passwords, and authentication tokens through phishing, keylogging, brute force attacks, and credential stuffing. Includes actionable guidance on multi-factor authentication, password managers, and monitoring for compromised credentials.
posts
A former employee at a financial services firm in Chicago watched his coworker type her password every morning for two weeks. He memorized it character by character. After he was terminated for performance issues, he used those stolen credentials to access the company's client database from a public
Your Employees' Passwords Are Already for Sale In March 2024, a single dark web marketplace listed over 10 billion stolen credentials. That's not a typo. The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past
Your Stolen Password Is Probably Already There In 2024, a single dark web marketplace called BreachForums was seized by the FBI — and then resurrected by its users within two weeks. That tells you everything about the persistence of the underground economy. If you've ever wondered what is the
In May 2024, the FBI and international partners seized BreachForums — one of the largest marketplaces where stolen credentials on the dark web were bought and sold in bulk. The forum had facilitated the sale of billions of compromised records, including credentials tied to U.S. government agencies, healthcare organizations, and
In January 2024, Roku disclosed that a credential stuffing attack compromised roughly 591,000 user accounts across two separate incidents. Attackers didn't hack Roku's servers. They simply took username-and-password pairs leaked from other breaches and tried them at scale. It worked because hundreds of thousands of
A 22-Character Password Cracked in Under 4 Hours In 2023, a security researcher demonstrated that a 22-character password using only lowercase letters could be brute-forced in under four hours on consumer-grade GPU hardware. That wasn't a theoretical exercise — it was a wake-up call. Brute force attack prevention isn&
In January 2024, a threat actor used credential stuffing to compromise a test environment at Microsoft — and then pivoted to access senior leadership email accounts for weeks before detection. Microsoft. One of the most well-resourced security organizations on the planet. If it can happen there, it can happen to your
The Breach That Started With a Single Stolen Identity In 2023, a midsize accounting firm in the Midwest lost access to its entire client database — not because of a sophisticated zero-day exploit, but because a threat actor used a partner's stolen credentials purchased on the dark web. The
The Fake Invoice That Cost a Hospital $28 Million In 2024, Ascension Healthcare disclosed a ransomware attack that disrupted operations at 140 hospitals across 19 states. The initial entry point? An employee opened what appeared to be a routine file. It was trojan horse malware — a malicious payload disguised as
In 2023, a single keylogger embedded in a phishing email gave threat actors access to credentials at over 2,000 organizations worldwide as part of the Snake Keylogger campaign. The malware silently recorded every keystroke — passwords, credit card numbers, internal messages — and exfiltrated the data before anyone noticed. A keylogger
