Leaked credential dumps make the news every month. Each credential leak seems to be larger than the last one. Timely identification of leaked credentials and swiftly acting to mitigate the impact are one of the main tasks of security and intelligence teams.
Leveraging its in-house technology, Cyberint detected that thousands of the retailer’s customer credentials appeared on a darknet file sharing repository. The same information was shared on several dark web forums and was acknowledged by several members of these forums.
Cyberint obtained the list of credentials and provided it to the retailer, who confirmed that the credentials were valid, and then acted promptly to reset their credentials and verify that they were not misused.
Cyberint compared user samples from the list against past data breaches. Based on Cyberint’s knowledge of the retail sector threat-actors’ Tactics, Techniques and Procedures (TTPs), the analysts assumed that the credentials were obtained through a credential stuffing attack (using an automatic tool checking of “combo-lists” of breached credentials) rather than a direct file or database leak.
Further investigation, leveraging Cyberint virtual HUMINT capabilities, established a confirmation from the threat actor that the credentials were indeed “harvested” through a credential stuffing attack.
Cyberint discovered who pasted the credentials on the dark web, who stood behind the leak and how the credentials were obtained. Thanks to vast domain expertise, Cyberint helped improve the retailer’s defense mechanisms and reduced exposure to future credential stuffing attacks, and consequently, to legal and regulatory risks.