When it comes to cybercrime, there are few threat actor tactics as useful and widespread as credential theft, and the subsequent use of stolen credentials, to maliciously gain access to an IT environment.
As hybrid work models and the widespread use of web-based applications further the digitalization of corporate environments, user credentials have proliferated. In turn, credential theft has risen as a low-tech way for threat actors to gain easy access to target environments. In 2024, Okta, a leader in identity security, stated that the number of web-based applications utilized per one of their customers “has topped” 100, experiencing a 9% year-over-year growth. That’s over 100 sets of credentials per organization that need to be secured.
For example, in June of this year, a major outdoor retailer notified thousands of customers that their personal information had been compromised. A threat actor used stolen credentials to commit a type of brute-force attack known as credential stuffing on the company’s website to exfiltrate user data.
This kind of attack is becoming more commonplace. Research has found that 25% of malware recorded in 2024 targeted users’ credentials, and Okta has continually seen a jump in credential stuffing attacks targeting its own identity and access management (IAM) systems.
So, it’s critical for organizations to understand how credential theft occurs, how it leads to credential-based attacks, and what steps can be taken to better protect identities and access within their IT environments.
What is Credential Theft?
Credential theft is the stealing of passwords, usernames, or other data that allows for access to networks, applications, assets, or accounts within an organization’s IT environment. Also called credential harvesting or credential compromise, credential theft is used by threat actors looking to launch a cyber attack, move deeper into a system once an attack has begun, complete a financially motivated attack such as business email compromise (BEC), or simply to sell or release on the dark web.
Credential theft has become popular for several reasons:
- It is the path of least resistance; an attacker can use a stolen credential to quickly and easily gain access to a target environment simply by logging in as an authorized user would
- It allows threat actors to conduct future credential-based attacks on organizations and individuals
- It provides initial access brokers (IABs) – individuals or groups that specialize in acquiring, selling, and trading stolen credentials and other malicious access techniques – with the assets they need to earn revenue and facilitate additional cybercrimes
- Stolen credentials, depending on the type, can grant easy access to any IT estate region or asset, including networks, endpoints, cloud assets, applications, and data
- Tried-and-true tactics, such as the use of infostealers or social engineering, make credential theft an easy task for cybercriminals
To put this popularity into context, Arctic Wolf found that compromised credentials resulted in 18.9% of BEC attacks investigated by Arctic Wolf® Incident Response in 2024, and unsecured remote desktop protocol (RDP) and compromised virtual private network (VPN) credentials were the leading root point of compromise for ransomware in 2024.
Increasingly, attackers are letting themselves into enterprise environments through the use of compromised credentials.
How Does Credential Theft Occur?
Credential theft happens in a number of ways, and many of them incorporate social engineering tactics. A threat actor could use a phishing technique on an employee within an organization — posing, say, as a member of the IT team who needs credentials for a supposed software update. The employee then willingly hands over the credentials, none the wiser that credential theft has just occurred.
Other ways credential theft occurs includes:
1. A third-party application that contains valuable credentials being breached by threat actors
2. A brute-force attack, where a threat actor uses trial and error to obtain a correct login
3. A credential stuffing attack, where use of stolen passwords from one site are used against another target by threat actors, assuming some users will reuse passwords; this was the case with the major outdoor retailer mentioned above
4. Man-in-the-middle attacks, where threat actors intercept credentials as they’re put into an application
5. Exfiltration of data that contains credential information during a cyber attack on an organization
6. Via an exploit of or improper credential storage within Active Directory, where threat actors access credentials from this digital directory and key piece of identity infrastructure
7. A keylogging attack, where malware records keystrokes made on an endpoint, letting threat actors record credential entries
8. Infostealer malware, which is designed to breach an environment and exfiltrate data
No matter the method, once a threat actor has credentials, they are able to launch what is referred to as a credential-based attack.
Credential Theft vs. Credential-based Attacks
While both involve stolen credentials, credential theft and credential-based attacks are two different attack types. Credential theft, as the name implies, is the literal stealing of credentials. A credential-based attack is the subsequent cyber attack that occurs with the use of stolen credentials. Credential-based attacks often happen early in the attack stage, primarily the reconnaissance and exploitation phases, as threat actors work to gain initial access into an environment, understand the ins and outs of that environment, and/or make lateral movement to launch another kind of attack.
How Are Stolen Credentials Used in Cyber Attacks?
As mentioned above, stolen credentials are primarily used to launch credential-based attacks.
These kinds of attacks can include:
- Credential stuffing: Using large lists of stolen credentials to attempt logins into various entry points within an IT environment
- Pass-the-hash: Using hashed passwords to attempt to authenticate without knowing the plaintext.
- Replay attacks: Reusing captured credentials or tokens
- Lateral movement: Using valid credentials to move within a compromised network, e.g. if the same authentication or credentials grant access to additional systems
While attacks can range from relatively simple to highly technical, threat actors often opt for the path of least resistance, which makes credential-based attacks such a popular option. It’s faster and easier to attempt a credential stuffing attack on an unsecured VPN than it is to use highly technical coding or uncover a zero-day vulnerability to exploit.
Additionally, many security solutions are designed to monitor and detect unauthorized access attempts or unusual user behavior. Yet unauthorized use of valid credentials is always difficult to detect consistently. It creates a digital disguise for threat actors, allowing them the same access of an authorized user, often with little to no scrutiny. This is ideal for lateral movement or reconnaissance activities and often allows a threat actor to access an environment, launch a successful attack, and leave without ever being noticed.
How To Prevent Credential Theft
Preventing credential theft is more complex than just strengthening or not reusing passwords. For organizations with hundreds or thousands of users and a large number of applications, thwarting credential theft – and, when necessary, detecting it – can be an overwhelming task. There are many common scenarios that adversaries can exploit, such as when users access personal accounts on a company device or use a work email address as a credential for personal accounts.
However, the fact remains that protecting credentials is critical to preventing data breaches, so organizations need to take a series of both proactive and reactive steps to harden their environment and detect potential credential-based intrusions.
1. Employ access controls, including phishing-resistant multi-factor authentication
While not a silver bullet, multi-factor authentication (MFA) is a simple, effective access control that not only prevents a threat actor from gaining access via stolen credentials but also can serve as a mechanism to alert security teams that unusual login behavior is occurring. Organizations may also consider other access controls in addition to MFA, including role-based access controls, geographic or time-based access controls, and implementing a zero trust strategy to restrict and verify user access.
2. Implement and enforce identity and access management (IAM) strategies
If your organization isn’t governing user access, enforcing controls on user access, and monitoring user access 24×7, it becomes significantly easier for threat actors to steal and utilize compromised credentials. By implementing and enforcing tenants of IAM, which includes both MFA and zero trust, your organization is building a secure framework for identities and credentials to exist in, which can help keep them out of threat actors’ hands.
In tandem with IAM, organizations may consider identity detection and response (ITDR), purpose-specific technology to detect and respond to malicious and anomalous use of credentials.
3. Conduct comprehensive employee security training
Because credential theft and social engineering tactics like phishing are so connected, making sure your employees are properly trained against these threats can help protect credentials and reduce human risk. Human risk inherently expands as organizations digitalize, and while users are top targets for credential harvesting, they can also be the first line of defense if security training is conducted regularly, with relevant, up-to-date content.
4. Utilize monitoring and detection solutions to help detect credential theft or credential-based attacks
Utilizing 24×7, real-time monitoring — like the kind offered by a managed detection and response (MDR) solution — can be the difference between halted suspicious activity and a major incident. Whether it’s the identification of data exfiltration, detecting abnormal login to an application, or even the ability to be swiftly alerted to access to and changes to Activity Directory, having a monitoring and detection solution in place that includes identity telemetry can help your organization prevent and respond to credential-related attacks, fast.
Learn more about the top attack vectors, including compromised credentials, used by threat actors.
Understand credential theft and the rising identity battleground in the Arctic Wolf 2024 Security Operations Report.
See how a robust security awareness training program can reduce human risk within your organization.
