third-party breaches (LinkedIn, Twitter, GitHub), malware on personal devices, targeted phishing campaigns, cyberattacks against suppliers.
What is compromised credentials
Stolen, leaked, or publicly exposed usernames and passwords. They represent one of the most exploited attack vectors in modern cybercrime.
Why it matters
Compromised credentials are the root cause of between 50% and 75% of enterprise security incidents according to CISA and MDR provider reports. An attacker with valid credentials can: Bypass perimeter controls: no need to exploit vulnerabilities; they access as a legitimate user. Perform lateral movement: move through the internal network searching for valuable data. Escalate privileges: obtain administrative access and establish persistence. Steal data at scale: mass exfiltration of intellectual property, financial data, PII, and trade secrets. Cause reputational damage: public breaches derived from weak credentials erode customer trust. Impact regulatory compliance: ISO 27001, NIS2, and DORA require detection and response to credential compromise.
Key points
employees use the same password across multiple platforms; compromise in one service affects the entire corporate chain.
compromised credentials are sold or used on the dark web; victims discover the compromise weeks or months later.
changing a password only works if the attacker has not established persistent access (tokens, SSH keys, etc.).
even with compromised credentials, MFA blocks access without the second factor.
specialized services scan leaks and alert companies when their information appears in breach databases.
Real-world example
An executive at a multinational accesses LinkedIn from their personal laptop. Months later, LinkedIn suffers a massive breach; 500 million credentials leak. The executive reuses a variant of the same password in corporate Microsoft 365. An attacker purchases the credentials on a dark market, attempts Office 365 access, and without MFA enabled, succeeds. Once inside, the attacker accesses the executive's email, discovers financial documents in OneDrive, moves laterally to internal servers using Kerberos tools, establishes persistence via a hidden administrator account, and steals 18 months of confidential correspondence. The incident is discovered two months later through anomalous EDR alerts.
Common mistakes
- assuming "we haven't heard of a breach" is different from "we are not compromised".
- without MFA, the attacker can reset the password again using already-established access.
- a standard user with compromised credentials should not have access to financial databases.
- permissive password policies facilitate brute force and credential reuse.
- logins from suspicious IP addresses or outside normal working hours require immediate investigation.
- blocking access from unmanaged browsers or unusual geographic locations is fundamental.
Related services
This concept may be related to services such as:
Frequently asked questions
How do I know if my credentials have been compromised?
Use services like HaveIBeenPwned.com to check if your email appears in public breaches. Additionally, monitor for unauthorized password changes, logins from unusual locations, or alerts from your email provider about failed access attempts.
Is multi-factor authentication enough against compromised credentials?
MFA significantly reduces risk (by up to 99% according to Microsoft), but does not eliminate it entirely. Attackers can use man-in-the-middle attacks or steal MFA tokens if the device is compromised. MFA is essential but must be combined with anomaly monitoring.
What should I do if I discover my corporate credentials have been leaked?
Act immediately: change your password, enable MFA if not already active, review recent logins in your logs, report to your security team, check for unauthorised data sharing from your account, and monitor for anomalous activity. If you had administrative access, the security team should investigate the scope of compromise.
How can an organisation detect compromised credentials in active use?
Through SIEM monitoring, EDR, authentication log analysis (Office 365, VPN, servers), anomalous behaviour detection (off-hours logins, access from unexpected countries), and threat intelligence services that monitor the dark web and underground markets where credentials are traded.