Stolen passwords are a hacker goldmine now
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Shoshana Gordon/Axios
Hackers increasingly rely on legitimate user accounts over malware to break into some of the biggest companies.
Why it matters: Finding someone's password or authentic browser session tokens is pretty easy on the dark web thanks to a growing dark-net market where hackers buy and sell information stolen from years of data breaches.
- Hackers using stolen user accounts to exfiltrate data from a company's network can more easily disguise their activities — averting detection from traditional cyber monitoring tools.
Driving the news: CrowdStrike and IBM both released reports late last month detailing how malicious hackers are relying more on passwords in their schemes.
- IBM's incident response team saw a 71% increase in the number of attacks relying on valid login credentials in 2023 compared with 2022.
- The total number of advertisements from access brokers — who sell passwords, session tokens and other ways to break into a company — jumped nearly 20% in 2023 from the year before, CrowdStrike's report found.
What they're saying: "To see a 70-percent swing, that's an industry wake-up call," Charles Henderson, global head of IBM's X-Force threat intelligence team, told Axios.
- "We've been saying for 20 years that, 'Hey, passwords are bad, we should be using multifactor authentication,' and you're seeing that come home to roost," he added.
The big picture: Stolen account sessions and legitimate passwords were the root cause of several high-profile attacks in 2023.
- In November, hackers broke into Microsoft's networks via a password-spraying attack. They eventually gained access to top executives' inboxes.
- Hackers used a similar technique to breach genetic testing company 23andMe in the fall and steal 6.9 million people's personal data.
- Identity management companies like Okta and LastPass have become prime targets for hackers in recent years too.
Zoom in: Both government hacking teams and financially motivated cybercriminals are turning to login credentials and session tokens.
- IBM noted that the LockBit ransomware gang has attempted to purchase source code for a popular infostealer — a type of malware that hackers use to steal login credentials and session tokens.
- CrowdStrike found in its report that Russian military hackers had developed their own tools to mine login credentials from Yahoo Mail and other email providers.
- Russian intelligence hackers also conducted a phishing campaign to collect multifactor authentication tokens from Microsoft 365 accounts, CrowdStrike noted.
The intrigue: The heightened reliance on login credentials has also prompted a wave of cloud intrusions, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told Axios.
- CrowdStrike saw a 75% increase in the number of cloud intrusions in 2023.
- "A threat actor simply has to compromise the identity of a legitimate user and then move into the cloud environment," Meyers said.
- From there, hackers can deploy malware or other tools directly from the cloud interface, he said, and the intruders look like legitimate users while doing so.
The bottom line: Implementing a zero-trust security framework inside a company can help to ensure hackers don't have access to privileged information once they break in, the reports advise.
- Employees should also be mindful of how frequently they're reusing passwords across accounts.
