Posts exploring how attackers steal usernames, passwords, and authentication tokens through phishing, keylogging, brute force attacks, and credential stuffing. Includes actionable guidance on multi-factor authentication, password managers, and monitoring for compromised credentials.
posts
In April 2024, a credentials dump containing over 26 billion records — dubbed the "Mother of All Breaches" — surfaced on dark web forums. LinkedIn, Twitter, Dropbox, Adobe, and hundreds of other platforms were represented. Within weeks, threat actors were using those credentials in automated stuffing attacks against small and
Your Employees' Passwords Are Probably Already There In 2023, the FBI's Internet Crime Complaint Center received over 880,000 complaints with potential losses exceeding $12.5 billion — and a significant share of that activity traces back to credentials and data traded on dark web marketplaces. If you&
In January 2024, a massive dataset known as the "Mother of All Breaches" surfaced containing 26 billion records — credentials scraped, aggregated, and repackaged from hundreds of previous data breaches. Usernames. Passwords. Email addresses. All of it sitting on dark web forums, available to anyone willing to pay. If
A Single Password Got Them Into the Colonial Pipeline In May 2021, a single compromised password on an inactive VPN account gave the DarkSide ransomware group access to Colonial Pipeline's network. There was no multi-factor authentication on that account. The attackers didn't need a sophisticated zero-day
A Single Stolen Password Cost One Company $60 Million In 2023, MGM Resorts lost an estimated $100 million after a threat actor used social engineering to take over an employee's account through a help desk call. The attackers didn't hack a firewall. They didn't
A Single Stolen W-2 Cost This Company $1.6 Million In 2023, a mid-size manufacturing firm in Ohio lost control of every employee's W-2 data after one payroll clerk fell for a CEO impersonation email. The threat actor filed fraudulent tax returns before anyone noticed. The cleanup — credit
In 2019, Microsoft published a study that changed how I talk to every client about security: enabling multi-factor authentication blocks 99.9% of automated account compromise attacks. That single stat should end every debate about whether two-factor authentication benefits are worth the minor inconvenience. Yet here we are in 2026,
The Fake Invoice That Cost a Hospital System $28 Million In 2024, Ascension Health — one of the largest healthcare systems in the United States — suffered a devastating ransomware attack that disrupted operations across 140 hospitals. The initial entry vector? A malicious file that an employee downloaded, believing it to be
In 2023, the FBI dismantled a cybercrime ring that used a commercial keylogger called Snake Keylogger to steal credentials from over 10,000 victims across 50 countries. The malware recorded every keystroke — banking passwords, email logins, private messages — and quietly exfiltrated the data to attacker-controlled servers. The victims had no
Your Employees Think They're on Your Bank's Website. They're Not. In April 2022, researchers at Avast documented a campaign where threat actors compromised home routers to execute a DNS spoofing attack that redirected users trying to visit legitimate banking sites to near-perfect credential theft
