Explores strategies and best practices for preventing data breaches in organizations of all sizes. Covers topics like access controls, encryption, network monitoring, incident response planning, and employee awareness to help reduce the risk of unauthorized data exposure.
posts
Your Employees' Passwords Are Already for Sale In March 2024, a single dark web marketplace listed over 10 billion stolen credentials. That's not a typo. The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past
In May 2024, the FBI and international partners seized BreachForums — one of the largest marketplaces where stolen credentials on the dark web were bought and sold in bulk. The forum had facilitated the sale of billions of compromised records, including credentials tied to U.S. government agencies, healthcare organizations, and
In January 2024, Roku disclosed that a credential stuffing attack compromised roughly 591,000 user accounts across two separate incidents. Attackers didn't hack Roku's servers. They simply took username-and-password pairs leaked from other breaches and tried them at scale. It worked because hundreds of thousands of
In January 2024, a threat actor used credential stuffing to compromise a test environment at Microsoft — and then pivoted to access senior leadership email accounts for weeks before detection. Microsoft. One of the most well-resourced security organizations on the planet. If it can happen there, it can happen to your
The Breach That Started With a Single Stolen Identity In 2023, a midsize accounting firm in the Midwest lost access to its entire client database — not because of a sophisticated zero-day exploit, but because a threat actor used a partner's stolen credentials purchased on the dark web. The
When the Colonial Pipeline ransomware attack shut down fuel distribution across the U.S. East Coast in 2021, news anchors stumbled over terms like "ransomware," "threat actor," and "zero trust." Millions of people realized they didn't have the vocabulary to understand the
When the Colonial Pipeline attack shut down fuel distribution across the Eastern United States in 2021, news anchors stumbled over words like "ransomware," "threat actor," and "zero trust." Millions of people realized they didn't speak the language of cybersecurity — and that ignorance
In 2023, a seemingly harmless browser extension called "PDF Toolbox" was downloaded over two million times from the Chrome Web Store before researchers at Palant discovered it was quietly injecting tracking code and redirecting ad revenue — a textbook adware operation that crossed hard into spyware territory. That single
In 2023, a single keylogger embedded in a phishing email gave threat actors access to credentials at over 2,000 organizations worldwide as part of the Snake Keylogger campaign. The malware silently recorded every keystroke — passwords, credit card numbers, internal messages — and exfiltrated the data before anyone noticed. A keylogger
In 2015, a Belgian company called Crelan Bank lost over €70 million to a sophisticated fraud scheme that began with attackers intercepting email communications between executives. The threat actors positioned themselves between two parties, manipulated invoices, and redirected payments — all without either side realizing the conversation had been compromised. That&
