How Exposed Credentials Fuel Cyberattacks

“If they got valid creds, they don’t need to go password spray and they’ll just walk through the front door (and into your network).”

-Global Head of Threat Intelligence at a leading MSSP

Stolen or leaked credentials are the keys a cybercriminal needs to unlock an organization’s networks. With just a valid username and password associated with a company employee, a threat actor can bypass firewalls and evade endpoint security systems easily.

Cybernews studied over 19 billion newly exposed  passwords in 2024 and 2025 and discovered that 94% of passwords are reused or duplicated. When users reuse the same passwords across business and personal accounts they’re setting themselves up to be great targets for brute force and dictionary attacks. If credentials used for a corporate account are compromised in a breach of a less secure third-party service, attackers can easily infiltrate the corporate system. As we discuss later on, the Snowflake data breach is a real world illustration of the business consequence of employees reusing passwords across accounts. In this incident, the cyber threat group UNC5537 exploited stolen customer credentials to gain and maintain extensive access to corporate accounts. This breach underscores how attackers can leverage compromised credentials from less secure environments to infiltrate critical business systems when users fail to maintain unique passwords across all their accounts.

How do credentials fall into the wrong hands?

Legitimate login credentials are a valuable commodity that is bought and sold on the deep and dark web every day. 

Attackers gain access to stolen or compromised credentials by exploiting human error, security misconfigurations, and executing deliberate technical attacks. Key methods include:

1. Phishing campaigns

Phishing campaigns may include the following components:

Fake login pages

Embedded links direct victims to counterfeit login pages mirroring legitimate services, where attackers capture keystrokes in real-time. Attackers make their fake login pages look like legitimate websites with branding and typosquatting to evade scrutiny. Fake login pages sometimes change one character in a company’s name to a different font to convince the victim that the website belongs to the real company. Once submitted, the information is sent to the attacker’s server, allowing unauthorized access to the users’ accounts. 

Exfiltration of credentials from compromised accounts

Once inside an email account, attackers escalate their operations by scraping stored passwords, auto-forwarding sensitive correspondence to external addresses, and deploying internal phishing lures disguised as routine communications. High-profile groups like APT28  (Fancy Bear) are experts at using the stolen data for ransomware, CEO fraud, or sales on the dark web while concealing their actions by purging logs or hijacking sessions to avoid detection. Sophisticated attackers evade anomaly detection software by timing their actions on the compromised account to blend with regular activity. The attackers can mask their tracks by purging sent folders or hijacking active sessions to bypass multi-factor authentication.

AI-powered tools

AI augments the threat actors’ capabilities to discover vulnerabilities and zero-days faster. AI tools also make it easier for cybercriminals to conduct highly personalized social engineering attacks by mimicking victims’ writing styles, incorporating victims’ personal details to craft convincing messages, and creating convincing deepfake vishing scams. In vishing, or voice phishing, scams, threat actors prey on victims’ sense of trust and urgency through phone calls and voice communication. Advanced AI-powered vishing has become a method for bypassing Multi-Factor Authentication (MFA). 

A threat actor, armed with stolen credentials and an AI-generated voice clone, initiates a login. This action triggers the legitimate MFA prompt on a victim’s device, but the attacker is already on the phone, spinning a convincing tale. Through sophisticated social engineering, perhaps impersonating IT support or a bank representative, the threat actor manipulates the victim. The unsuspecting individual either reads the MFA code aloud or, even worse, approves a malicious push notification. This isn’t a technical flaw in MFA; it’s pure psychological persuasion, transforming the user into an unwitting accomplice in their own credential compromise and granting attackers effortless access.

2.  Malware and infostealer deployment

Cybercriminals use malware to discreetly infiltrate company systems, similar to traditional burglars who use lockpicks. Sensitive data from business applications is extracted using keyloggers, information stealers (infostealers), and remote access trojans (RATs). Keyloggers stealthily capture every keystroke a user makes by integrating into the operating system’s input processing.

Many infostealers utilize persistence mechanisms like polymorphic code to avoid signature-based antivirus and anti-analysis checks to thwart sandboxing and reverse engineering efforts. The complex modular design allows infostealers to collect specific types of data, compress them, and then exfiltrate the stolen information to command-and-control (C2) servers. Infostealers frequently use encrypted channels that blend with legitimate network traffic to evade detection. As soon as credentials are harvested, attackers can bypass authentication entirely and move laterally through critical enterprise systems, often undetected. This access lays the groundwork for the next stages of a coordinated, multi-step intrusion.

3. Data breaches

Large scale data breaches expose huge amounts of user credentials that are sold on dark web marketplaces and illicit Telegram chats or groups.

The following list explains some common techniques attackers use to breach networks and exfiltrate data: 

• Exploiting vulnerabilities: Attackers take advantage of a vulnerability in a corporate system to gain unauthorized access. Information about zero days and common vulnerabilities is openly discussed on the dark web. 
  • In May 2025, several Chinese-backed APT groups exploited a recently disclosed vulnerability in SAP NetWeaver (CVE-2025-31324) to breach at least 581 critical systems globally. Targets include infrastructure operators in the UK and US,
• SQL injection: Attackers execute unauthorized commands via flawed web application queries, potentially dumping entire user credential databases.
  • During November and December 2023, the hacking group ResumeLooters compromised over 65 websites, mostly in the recruitment and retail sectors. More than 2 million records, including names, emails, and phone numbers, were stolen and sold on illicit Telegram chats or groups.
• Database dumps and memory scraping: Attackers extract database backups or use tools to scrape important records, including credentials, directly from system memory (RAM).
  • According to Malwarebytes, a massive data dump revealed 184+ M credentials tied to Google, Apple, Microsoft, Facebook, Instagram, Snapchat, and other platforms in May 2025.

4. Network interception

Threat actors use the following network-based attack techniques to intercept credentials as they travel across insecure network:

• Man-in-the-Middle (MitM) attacks: In this type of attack, hackers position themselves between a user and a service to intercept login credentials on unprotected or compromised networks.
• ARP poisoning: An attacker links their machine’s MAC address to the IP address of a legitimate device. Linking the devices tricks users into sending traffic through the attacker’s machine.
• DNS spoofing: Traffic intended for a legitimate site is redirected to a fraudulent site controlled by threat actors, which allows the lookalike site to capture everything.
• SSL stripping: When a secure HTTPS connection gets downgraded to an insecure HTTP connection, data being transmitted becomes visible to the intercepting attacker.
• Rogue access points: Attackers set up fake Wi-Fi hotspots that appear legitimate so that all connected traffic, including login credentials, can be intercepted.

5. Accidental exposure: Unintentional leaks

Sometimes credentials leak through simple oversight. Developers might accidentally commit sensitive information like API keys, database logins, or hardcoded passwords to public code repositories. Attackers use automated tools to continuously scan these repositories for such exposures, providing easy access.

In December 2023 a malicious actor gained access to National Public Data’s systems and leaked sensitive data onto the dark web during 2024. Over 2.9 B records of highly sensitive data were leaked. The hackers gained access to National Public Data’s records by exploiting an archive that contained the source code and plain text usernames and passwords for different components of the sister website to National Public Data. 

Mapping the attacker’s tactics

Once credentials are stolen, leaked, or discovered, they endanger the company. An attack often creates a cascade effect within the victim organization.

1. Finding and validating exposed credentials 

Attackers acquire credentials from various sources: phishing campaigns, malware deployment, data breaches, network interception, and accidental exposure. They often use automated tools to test credentials against target organizations to confirm their validity (credential stuffing). For example, Atlantis AIO Multi-Checker, a commonly used tool for automating credential stuffing attacks, allows threat actors to test millions of stolen credentials across 140 platforms in rapid succession. 

2. Gaining initial access

Armed with valid credentials, attackers bypass a company’s initial defenses by simply logging in. Because the attacker logged in with valid credentials, their entry remains undetected. This method allows them to establish a covert foothold, often moving deliberately to avoid anomaly detection software.

3. Escalating privileges

Exposed credentials, especially those belonging to regular users, are just the starting point. Attackers perform privilege escalation by exploiting system misconfigurations, vulnerabilities, or weak access controls to gain higher levels of authority. Password reuse poses a serious risk, as credentials from a low-privilege account may grant access to high-privilege systems when reused across environments.

4. Lateral movement and deeper access 

With escalated privileges, attackers move laterally across the network, compromising additional systems and accounts. By leveraging the initial credentials, they can exploit internal vulnerabilities (including zero-days) or launch internal phishing attacks to compromise more users.

5. Achieving malicious objectives 

Ultimately, compromised credentials facilitate the attacker’s end goals, which can include ransomware deployment, business email compromise (BEC), CEO Fraud, data exfiltration, espionage, and fraud.

Real world example: credential exploitation in action

Many cybersecurity advisories and organizations, including the National Institute of Standards and Technology or the United Kingdom’s National Cyber Security Centre have warned about the risks of exposed credentials. Let’s take a closer look at a major incident, the Snowflake data breach.

The Snowflake data breach

The cyber threat group known as UNC5537 targeted Snowflake customers to steal and extort data theft. This campaign involved the use of stolen customer credentials, primarily sourced malware campaigns from infostealers that had compromised systems not directly managed by Snowflake. The attackers’ strategy allowed them unprecedented access to customer accounts, from which they exfiltrated a significant volume of data.

Timeline and methodology 

The incidents began as early as November 2020, when the group known as UNC5537 exploited outdated or not regularly updated credentials. These credentials were stolen through different malware strains, including VIDAR, RISEPRO, and REDLINE. A major vulnerability in the Snowflake instances was the lack of multi-factor authentication and the absence of network allow lists, which would have limited access to trusted locations only. This lack of protective measures gave the attackers a direct route to compromise the systems.

Impact and extortion 

Inside the network, attackers initiated direct extortion schemes against the affected organizations, leveraging the threat of releasing or selling stolen customer data on recognized cybercriminal forums. This method of operation highlights a dual-threat approach where data theft is paired with ransom demands, maximizing the potential impact on the victim organizations.

Lessons and takeaways

This incident underscores several key points:

• Credentials stolen from any source (even personal devices compromised by infostealers) can be weaponized against corporate resources if reused or inadequately protected.
• Network controls (like allow lists) add another vital barrier.
• Strict credential hygiene (regular rotation, strong passwords, avoiding reuse) is essential.
• The ecosystem of infostealer malware and dark web markets makes stolen credentials widely available, increasing the risk for all organizations.

Why proactive credential monitoring is non-negotiable

The Snowflake incident and many similar scenarios underscore the critical need for ongoing credential monitoring. To prevent unauthorized access, enterprises should search proactively for stolen credentials on the dark web and public databases. Authentication controls that are constant and strong significantly reduce the risk of credential-based attacks.

Cyber attackers consistently exploit exposed credentials to gain unauthorized access, commit fraud, and launch ransomware attacks, making proactive defense essential. Automated tools that continuously scan for compromised credentials, set up alerts for potential breaches, and integrate with Security Information and Event Management (SIEM) systems enhance early detection and rapid response. Additionally, deploying advanced credential monitoring solutions can provide extensive coverage of compromised credentials from various sources, including infostealers and data breaches. These systems should efficiently detect compromised credentials, offering precise detection and actionable alerts with detailed contextual information that enables fast incident responses.

The high cost of not mitigating the impact of compromised credentials

Leaving credentials exposed and vulnerable can lead to unauthorized financial transactions, fraudulent purchases, or sensitive financial information being leaked. Beyond the expensive financial implications, reputational damage from data breaches severely erodes customer trust, resulting in increased customer churn. This reputational and financial costs highlight the critical need for cyber professionals to implement enriched context (malware root path or malware hardware ID) to proactively identify and mitigate threats before they impact clients.

For instance, the Snowflake breach exposed sensitive data from multiple organizations, including Advance Auto Parts, Banco Santender, and Ticketmaster, affecting over 500 million individuals. The breach stemmed from credentials that were compromised back in 2021 and lack of multi-factor authentication (MFA), massively underscoring the enduring value and risk posed by outdated credentials. This led to regulatory scrutiny, including a $28 million fine against Advance Auto Parts by the Vermont Attorney General for inadequate credential storage practices, alongside significant reputational and operational impacts. 

Operationally, compromised credentials can disrupt business processes, initiate unauthorized access, and necessitate costly security makeovers; even without the economic damage since all systems will be taken offline for extended amounts of time while the security teams will try to contain threats.

To avoid these threats, businesses can take proactive security steps such as frequent scanning for exposed credentials, enforcing good password policies, and using multi-factor authentication. Talk to a cyber expert to learn more.