Breaches Using Stolen Credentials Are Surging – Internal Threat Detection Can Help

Back to Blog
Михаил Руденко

Breaches Using Stolen Credentials Are Surging – Internal Threat Detection Can Help

As an MSP, your clients rely on your expertise to bolster their data security and ensure they operate with minimal exposure to cyber threats.    

Now, imagine a client tells you that their proprietary research files have been compromised. They recently discovered an employee with appropriate permissions downloaded the data to an unauthorized offsite server three months earlier – except the employee in question was on medical leave at the time of the execution.  

A case of stolen credentials.

Risking Credential Theft 

Hackers are steadily warming to credential theft as their preferred method of attack. For years, malware reigned as the go-to infiltration strategy for hackers, but according to Verizon’s 2020 Data Breach Investigation Report, credential theft is taking over.

The report found that malware infections are at an all-time low – in fact, the lowest rates on record since Verizon has been tracking the activity. For several years, malware caused nearly 50 percent of all breaches, but that has now dropped to 22 percent. Hacking makes up 45 percent of attacks with social engineering strikes at 22 percent. Eighty percent of breaches executed via hacking were perpetrated through compromised credentials – either stolen or brute-force password cracking. 

Little Risk, Lots of Reward

So why the shift in attack methodology? It might be because clicks on infected phishing links only generate a 3.4 percent success rate. Although hackers don’t need high volume clicks to be successful, they often find it easier to steal credentials, and just one confiscated login can be the key to a treasure trove of data. Additionally, a known user ID will not alert an antivirus program or other external security tools, so there’s little risk of using and reusing appropriated logins.

Researchers had this to say: “We think that other attack types, such as hacking and social breaches, benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence.”

Thwarting Thieves 

Although credential theft is not technically an insider threat, a standard internal threat detection method works to impede hackers using stolen IDs by monitoring for anomalous user activity. MSPs can help clients combat this escalating threat with internal threat detection software that delivers fully automated network scans, alerts and daily reports, all of which work to catch suspicious user activity quickly.

Speed is the critical factor in breach identification to mitigate loss – the difference between detecting a threat in hours versus weeks or months can be the difference between a little damage and a lot of damage. The use of stolen credentials is one of the most difficult to recognize and, when done deftly, could go unnoticed for an indefinite period of time. 

Continuous network monitoring and automated alerts are the most effective tactics to thwart breach attempts through stolen credentials. And the surge in login thievery highlights the growing need for more robust unusual user activity detection.

Click here to learn more about products like Cyber Hawk that can help you meet your clients’ internal threat detection needs. 



  1. 2020 Data Breach Investigations Report, Verizon, 2020