Data Breaches and the Role of Stolen Credentials in 2023

Recent trends among U.S.-based data breaches show that stolen credentials are taking up a much larger portion of breached data. A second trend reveals that hackers are increasingly using stolen credentials to conduct attacks.

Why is this happening and how? This article explores these and other trends related to data breaches, the underlying factors are driving these trends, and what to expect in the near future.

A Note on Terminology:
A "Data Breach" is when hackers steal sensitive data from companies and make it available to unauthorized entities, like other hackers or the public. The stolen information may be ransomed back to the owner, sold to other hackers, or posted on hacker web forums.

"Credentials" are the password and username or email used to log into an account.
"Exposed credentials" are those that were stolen in a data breach.

"Account Takeover" (ATO) is when a malicious actor will take someone's compromised credentials and log into the victim's personal account.

"Credential Stuffing" refers to when hackers gain entry by taking lists of stolen credentials and using them in large-scale automated login requests.

The State of Data Breaches
The state of U.S.-based data breaches in 2023 is marked by increasing numbers of data breaches. This fact is documented by the Identity Theft Resource Center (ITRC), which is the authoritative source for tracking these incidents of personal data compromise. (1)

ITRC's H1 2023 Data Breach Analysis report shows 1,393 data compromises in the first first half of this year. That number is higher than the total figure for almost every year since ITRC started tracking breaches in 2005.  COO of ITRC James Lee commented on the podcast Notified that data compromises in 2023 "are on a blistering pace to set a new record by year’s end". (2) (3)

The State of Stolen Credentials Usage
Stolen credentials now have a bigger role than ever before in enabling hackers to steal data.

The portion of the sum total of data breaches that were caused by hackers using stolen credentials increased from 41% in 2021 to 47% in 2022, according to 2023 Data Breach Investigations Report (DBIR) by Verizon. And then in turn, data breaches were exposing more and more credentials. Per the report, stolen credentials made up nearly 50% of confidential data exposed in 2022 data breaches. (Note that when referring to the year 2022, the DBIR is referring to the period from November 1st, 2021 to October 31st, 2022.) (4)

The report adds that, "stolen credentials have really gained ground over the past five years and become the most common entry point for breaches." (5)

In addition, the number of annual "credential spill incidents" (i.e. credentials being exposed/stolen) nearly doubled between 2016 and 2020, according to the F5 Labs 2021 Credential Stuffing Report. (6)

So what do malicious actors do with stolen credentials? According to cyber security expert Kayly Lange on splunk.com, cybercriminals primarily used the information in data breaches to carry out more data breaches. (7)

Credential Stuffing
So how are hackers using stolen creds? The preferred method is credential stuffing. As noted above, "Credential Stuffing" refers to when hackers gain entry by taking lists of stolen credentials and using them in large-scale automated login requests. Hackers are relying on the idea that people are reusing the same usernames and passwords when they set up multiple accounts. (8)

Credential stuffing as a technique is on the rise. For example, the American identity and access management company OKTA reported that its records showed credential stuffing attacks were responsible for 34% of observed login attempts that the company observed. (Note that this was not a randomized study that would reflect logins in general, instead the figure was based on the company's internal records of the work it conducted for customers.) (9)

In addition, F5 Labs identified access-based attacks such as credential stuffing as the number one attack method leading to data breaches. (10)

Credential stuffing was used in several of the biggest data breaches in 2023, such as Paypal, Chick-fil-A, United Healthcare. (11) (12) (13)

The successful usage of credential stuffing reflects how often people reuse their passwords. A study by SpyCloud observed 70% password reuse among people whose information was exposed in data breaches in 2021. While the problem of password reuse is well-document, it does not appear to be going away any time soon. In one survey less than half of people said they would change their password if it were exposed in a breach. (14) (15)

Where and How Hackers Find Stolen Credentials
Stolen credentials are bought and sold in dark web underground markets. In fact, stolen credentials have become the most valued and sought after data on the dark web . Greater value translates to more money, and credentials are now fetching a record high price on the dark web. (16)

According to Recorded Future's 2022 Annual Report, there is a large marketplace for selling stolen credentials on the dark web. While hackers have traditionally made money from their intrusions through ransomware attacks, they are increasingly turning to selling stolen credentials instead. This could explain why Ransomware payments decreased by nearly 60% from 2021 to 2022. The report stated that "Credential sales remain popular on dark web marketplaces, typically for use in account takeover and credential stuffing attacks." (17)

One example is the Genesis Market, an invite-only dark web market where hackers could buy and sell stolen credentials. Data on 80 million account access credentials were offered for sale over a 5 year period, according to the US Justice Department. Genesis was taken down by authorities in April 2023.
(18)

The Path of Stolen Credentials
After a data breach, stolen credentials will usually go through a series of stages. The F5 2021 report provides very detailed insights into this process. To start, after the attackers obtain credentials they typically keep the breach secret. During this stage the attackers may use the credentials for additional attacks and/or quietly start selling the credentials. (19)

The credentials are more valuable if no one knows they were stolen at all. Therefore sales of credentials are kept as secret as possible to help maintain the credentials' value. The attackers may quietly reach out to specific buyers to offer the sale.

In the next stage the attackers will make it known to a wider audience that the credentials are for sale. For example, if the attackers make an announcement on a place like Genesis Market, the knowledge of the breach will generally stay within the hacker forum or marketplace community. In other words, the existence of the breach is known within the underground realm, but not open knowledge to the public in general.

At some point, it becomes apparent that the breach is going to become public knowledge in the near future. There are a lot of possible reasons that the breach will become public knowledge. The victim could make a public announcement about the breach. Sometimes third party researchers may discover and announce the breach. The attackers themselves may also make an announcement.

The stolen credentials are most actively bought, sold, and used in the period leading up to the breach becoming public. Possibly because hackers know it is their last chance to use the credentials.

The announcement often occurs immediately before or after the hackers post the data publicly on a hacker forum or some other platform.

Regardless of why or how it happens, as soon as the breach becomes public the price of the credentials will start declining immediately. The drop in value is because many of the victims will start changing their credentials as soon as they know their accounts have been compromised. There are also many people that do not change their credentials, but enough people will take action to significantly reduce the data's value to potential buyers/hackers.

Finally, around the time the breach becomes public, the attackers will often post the credentials publicly on some platform to show off their victory.

The Bigger Role of the Market
This shows yet another way that the underground market affects data breaches and stolen credentials. However the underground criminal market is more than just a place to sell stolen credentials.

In fact, the growth of the underground market plays a large role in facilitating attacks. Criminals are increasingly specializing in certain skills and selling their services, which means that you have the same process behind a hack but different people are doing different parts.

For example, Initial Access Brokers (IABs) gain entry to companies or other targets and then sell that access. According to a recent article by Eric Clay, VP of Marketing at Flare Inc., IABs will post listings of their access for sale. A common IAB lisitng on the market includes product descriptions such as the number of devices compromised, industry of a victim company, number of employees, and geographic location of the victim.
(20)

Credential stuffing attacks are also cheap and available. F5 Labs' 2022 report highlighted that credential stuffing had become "incredibly easy and inexpensive." The report pointed out that on the underground market it costs less than $200 to pay for 100,000 ATO attempts. (21)

Hackers do not need to learn the skills to gain access to the victim because they can outsource to IABs. The growing market enables a wide variety specialists to sell their hacking-related services. Therefore the market is likely facilitating hacks and a major factor driving new attacks.

Therefore, the growing number of hacks that used stolen credentials and the increasing amount of credentials in breached data may be simply the outgrowth of a bigger underlying problem, the underground market. What is known for certain is that the market enables the sale and purchase of credentials while also enabling hackers to carry out successful attacks.

More studies are needed to determine the causes and effects of these trends and the direct influence of the market. In the meantime, the existing research suggests that the underground market plays a pivot role in these developments. As long as the underground market is able to flourish we can expect these data breach trends to continue.

Sources:
1. US on Track For Record Number of Data Breaches (InfoSecurity)

2. Bucks Up, Cupcake - Takeaways From IRTC’s Eye-Opening H1 2023 Data Breach Analysis (ID Theft Center)

3. Verizon: 2023 Data Breach Investigations Report
4. 2021 Credential Stuffing Report (F5)

5. The Credential Stuffing Guide: How to See and Stop Credential Stuffing Attacks (Splunk)

6. Okta: Credential stuffing accounts for 34% of all login attempts

7. Credential Stuffing 2022: Latest Attack Tools and Trends (F5)

8. PayPal accounts breached in large-scale credential stuffing attack (Bleeping Computer)

9. Chick-fil-A hack spells indigestion for 71K customers (SC Magazine)

10. Credential Stuffing Attack Exposed United HealthCare Member Data (The HIPAA Journal)

11. 5 Takeaways from SpyCloud’s Annual Identity Exposure Report (SpyCloud)

12. 25+ Password statistics (that may change your password habits (Comparitech)

13. 2022 Annual Report (Recorded Future)

14. The Genesis Market Takedown – Keep Users Credentials Secure (Bleeping Computer)

15. 2021 Credential Stuffing Report (F5)

16. The Dark Web Is Expanding (As Is the Value of Monitoring It) (Dark Reading)

17. Credential Stuffing: Credential Stuffing 2022: Latest Attack Tools and Trends