How do Credentials get leaked?

Most of us, at some point, have gotten some vague communication about our passwords being exposed somewhere. Usually whoever is telling you that, will not tell you where and how they got leaked. I would like to try to make things a little clearer, go over some of these dangers and what to do about them.

1) Infostealers

By far the most common of all ways how passwords get leaked today are infostealers. Malware that lives somewhere on your device. These infostealers can read any files stored on your host, and something like saved passwords in your browser are just stored as a file. They usually also have ways reading any other place where credentials are stored. As a rule of thumb, if it is popular, an infostealer will have a way to read it. 

Many of these infostealers will use various ways in which to stay undetected, on windows for example, they can be stored completely in registry as a string to be run by powershell on startup, on MacOS you can do virtually the same thing with cron. On android your infostealer will more likely be an APK file, perhaps some mindless game you forgot about years ago which allows for content downloaded from outside of google play to be executed. No matter the platform, they are all extremely vulnerable and a simple virus scan is unlikely to unearth most of the prevailing infostealers, and getting one is as easy as getting some weird new AI agent or completing a little more complicated captcha. 

What to do with infostealers? 

Sadly, the only real option is to completely rebuild as much as possible. This means a clean installation of your windows or MacOS host, factory reset your phone and if you logged in on your smart fridge into your corporate account, you should consult the manual how to achieve a factory reset there as well. Do not believe that your instance of Avira free antivirus stands a chance. If it did, you would not have leaked credentials (probably). Of course, any exposed credentials must be reset asap after this step, starting with providers of more than one service, like google or iCloud. 

3rd party breaches 

Slightly less likely, yet still very common, there are various third parties that will typically hold your credentials. 

  1. Online password managers 
  2. Good old fashioned brute-force
  3. Any breached website if you reuse your passwords 

Rockyou has not really repeated, as best practice today is to store passwords as salted hashes, but weak passwords can still be discovered reasonably quickly still. The LinkedIn breach was unsalted weak hash, and most passwords were cracked very quickly. 

Brute forcing is easier than ever today, as cloud based login solutions often do not implement any fail2ban and simply view it as a performance issue rather than a targeted brute force, so a scalable infrastructure is also endlessly bruteforcable as a side effect. 

What to do with 3rd party breaches? 

You have to assume that any site could have been a target, and especially any online password managers are exceedingly dangerous. Best practice here is any method where you, and only you, have all the control over your password database. Every password you have has to be reset, since the scope is always hard or impossible to ascertain, and all new passwords should be strong, randomized, and unique. A password manager is a must, yet an online one can be worse than none at all. 

Phishing 

Still incredibly common and usually incredibly powerful. MFA has stopped phishing only very shortly and thanks to standardization across so many users as to what platform they log in to, it is more a threat than ever before. With so many organizations using microsoft azure and Entra ID, attackers had to learn how to sort that one out and suddenly got a massive list of very valuable targets. 

The mechanics of compromising something like Entra ID is very simple. Whilst login does require both a password and then you confirming MFA, those two steps create a session, and that session is just a cookie stored in your browser. There are several tiers of cookies where one is allowed to create the other, but in general, once you login, the top tier cookie has the default lifetime of 90 days, and for a while could have been used from anywhere. Cookie hijack is not super easy and does require access to your machine, but cookie creation is easier. There is even a whole framework for how to do that. In general they will setup a reverse proxy in front of the microsoft login page, essentially just making a request to microsoft and then serving themselves whatever microsoft is serving there. then they send a phishing link to you, which when you open it will look exactly like any other login to your azure tenant, because all of your tenant-specifc graphics etc. are just served on login.microsoftonline.com, so any phishing will just inherently serve the custom graphics. When you log in there, you won't really see anything wrong except the domain at the top, and the attacker will grab your password, and usually your session cookie, which they, by default, have 90 days to use.

What to do about phishing? 

If you know you got phished, reset your passwords and never do it again. Also never click on any links you receive and do not explicitly know what they are. 

Public Wifi 

Very unlikely. As long as you take this icon seriously:

You are unlikely to come into problems on public networks. Cases where something you may have been warned about once could happen usually hit entire countries, not just some airport wifi. 

Malicious VPN 

These are what makes man-in-the-middle truly work. Public VPN providers have various levels of access to your device when you install a VPN, many do ship their own certificate authorities, meaning they can absolutely ship you a fake login.microsfotonline.com and collect your credentials from it, or install an infostealer. Whatever risks used to exist on public WiFi now exist on Malicious VPNs. And no one knows which of the VPNs that are widely used is malicious, but it has to be at least one. 

What to do about malicious VPNs? 

Same as infostealers. Since they can and often do ship malware including infostealers themselves, you have to reset all your credentials and newly install all your hosts.