Credential Leaks - When Passwords Go Public

About 2 min read

A credential leak refers to authentication information such as usernames, passwords, API keys, and session tokens falling into the hands of third parties who should not have access to it. It is an especially serious category within data breaches, and leaked credentials become fuel for credential stuffing attacks, causing the damage to snowball.

Leak Channels

There are many channels through which credentials are leaked. The largest in scale is a database breach, in which a service provider's server is attacked and users' credentials are leaked in bulk. If plaintext passwords that have not been hashed were stored, the damage spreads instantly. Phishing remains the most effective leak channel targeting individuals, with the mainstream tactic being to lure victims into entering their credentials on a fake login page. Theft via malware such as keyloggers and spyware, as well as insider crimes (data taken out by employees), are also channels that cannot be ignored.

Combo Lists and Trading on the Dark Web

Leaked credentials are organized into a format called a "combo list." These are text files that list combinations of email addresses and passwords, one entry per line, and lists on the scale of hundreds of millions of entries are traded on dark web marketplaces. Prices vary depending on freshness and scale, with unverified lists from recent leaks fetching high prices. Attackers feed these lists into automated tools and make massive numbers of login attempts against multiple services. Because a single service's leak can lead to the compromise of every account for users who reuse passwords, it is important to correctly understand the risks of password reuse.

How Have I Been Pwned Works and How to Use It

Have I Been Pwned (HIBP), operated by security researcher Troy Hunt, is a free service that lets you search for email addresses and passwords that have been leaked in past breach incidents. As of 2024, information on more than 13 billion compromised accounts is registered in its database. HIBP's password search API adopts the k-Anonymity model: it sends only the first 5 characters of the password's SHA-1 hash to the server, receives a list of matching hashes, and compares them locally. As a result, the password being searched for is never itself sent to the server. It is recommended that corporate security teams incorporate the HIBP API into their authentication flow to block registration with already-leaked passwords.information security books on Amazon also provide systematic knowledge on leak countermeasures.

The Chain of Damage After a Leak

The damage from a credential leak does not end with the initial leak. Through credential stuffing attacks using the leaked credentials, accounts on other services where the password is reused are taken over one after another. From the hijacked accounts, further personal information is extracted and abused as material for spear phishing, creating a chain reaction. If a financial service account is compromised, it leads to direct monetary damage, and if an email account is compromised, every service is put at risk via password resets.

Countermeasures for Organizations and Individuals

As countermeasures on the organization side, the basics are storing passwords as salted hashes (using bcrypt or Argon2), introducing leak detection systems, and formulating an incident response plan. Please also refer to the data breach response guide. As countermeasures for individuals, the most effective approach is to generate a unique password for each service with a password manager and to enable two-factor authentication. If you register for HIBP's notification feature, you will receive an immediate alert whenever your email address is included in a new breach incident. Understanding the reality of password leaks on the dark web will also help you correctly judge the priority of your countermeasures.