In the digital age, stolen credentials have become a significant threat to enterprise security. These credentials, often harvested from various attack and breach databases, pose a critical risk to organizations worldwide. This blog explores where these credentials originate, the implications of their misuse, and the steps attackers take to exploit them. By understanding these dynamics, organizations can better prepare and protect themselves against potential breaches.



Here is the verbatim discussion:

CR initials now where are the stolen credentials coming from the these are coming from you know various uh attack and breach databases which were you know published for the last uh maybe you know 5 to 10 years uh where billions and billions of you know credentials are available on dark web and many of them are being reused by employees you know intentionally non-intentionally uh on other you know systems which probably works in the Enterprise and not only that uh some of the cases of Shadow it lot of cases in Shadow it also comes from you know code leagues like the developers when they go when they write open source you know tools they uh leave credentials and API keys in the code and make it you know and publish it on the developer or they can also you know leave this credentials in the build in the software build uh such as genes or maybe Circle Ci or maybe other you know any other you know cicd platform right so in one of the incidents which has happened last one month back where you know the after uh doing fishing you know once the attacker got access to one of the systems uh one of the devop systems and then they got access to their uh their cicd system what they they found out is they decompiled the build and then in the build itself they were package of credentials being you know packaged together with the build and as a result they got access to lot of other systems all around inside the inside the Enterprise Network uh yeah along with credentials and lot of being cases being reported where the leaked API keys where the API keys are also being published in the code that attackers can get access uh for the past few you know years there has been lot of incidents because the databases such as mongodb elastic search being open kubernetes we in fire Compass we did a research last year where we tracked all the open sorry all the kubernetes instances you know hundreds and hundreds of kubernetes instances being left open because of a bug in one of the you open source library and because of which we uh got access to their communities cluster and we reported this to various organizations and they could fix it immediately uh not only that we have also seen you know attackers using darker instances which are left open to the internet because of certain misconfigurations so Shadow it you know assets which are exposed to the internet with a misconfiguration with some kind of misconfiguration the code which is being leaked contributes to at least 60% of you know cases where the attackers can get access to you know initial foothold into the organization all right uh let's you know now not only that attackers have now the capability to scan internet in just few days and that's makes it increasingly difficult to you know increasing that makes a life of of a you know Defender increasingly difficult the reason being that if attacker can scan the internet in few days which means your mean time to remediate has drastically decreased from weeks to days in fact uh now how does this automation works I'll just describe in very in few you know words and sentences I'll try to simplify this by the way this is and when very simplified version of what happens in reality uh now one of the first step that uh attackers do is to create a internet wide scanner now there are various open source tools available uh which if configured properly using expert can be used to scan the whole internet actually within few days days and if you put more horsepower more Computing resources within ours in fact uh now this is not an easy task by the way right there are 3 billion ipv4 addresses and there are 65,000 posts which makes it nearly impossible right to scan the whole internet but then the the advantage the attacker has is that they do not scan whole internet on all the ports but they do do it as per no as per the attack say one.



Sources of Stolen Credentials:

Stolen credentials often come from databases compromised in attacks over the past 5 to 10 years. These databases, containing billions of credentials, are readily available on the dark web. Employees frequently reuse these credentials across multiple systems, increasing the risk of breaches within enterprises.

Impact of Shadow IT:

Shadow IT contributes significantly to credential exposure. Developers may inadvertently leave credentials and API keys in code repositories, build environments, or CI/CD platforms such as Jenkins or CircleCI. These oversights can lead to significant vulnerabilities.

Case Study: CI/CD System Breach:

In a recent incident, attackers gained access to a DevOps system through phishing. Once inside, they decompiled a software build and discovered packaged credentials. This allowed them to infiltrate multiple systems within the enterprise network, highlighting the critical need for securing build environments.

Leaked API Keys and Open Databases:

API keys and other sensitive information are often exposed in publicly accessible code. Incidents involving open databases like MongoDB, Elasticsearch, and Kubernetes clusters are common. Fire Compass research uncovered numerous open Kubernetes instances due to misconfigurations, emphasizing the importance of securing such assets.

Exploitation of Misconfigured Assets:

Attackers frequently exploit misconfigured Docker instances and other internet-exposed assets. These misconfigurations provide initial footholds into organizations, enabling further exploitation and data breaches.

Automation in Attacks:

Modern attackers use automated tools to scan the internet rapidly. Open source tools, when configured by experts, can scan vast IP ranges and ports efficiently. This automation reduces the time attackers need to identify vulnerable systems, thus pressuring defenders to remediate vulnerabilities more quickly.

Importance of Rapid Remediation:

As attackers can scan the internet in days, the mean time to remediate (MTTR) vulnerabilities must be drastically reduced. Effective vulnerability management and rapid response are crucial to preventing exploitation and minimizing risks.


The landscape of cybersecurity is increasingly complex, with attackers leveraging automation and vast databases of stolen credentials to breach systems. Understanding the sources and methods of these attacks is vital for organizations to defend themselves effectively. Implementing stringent security measures, securing code and build environments, and reducing MTTR are essential steps in mitigating these risks. By staying vigilant and proactive, organizations can protect their assets and reduce the likelihood of successful attacks.



Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa