According to the 4iQ Identity Breach Report, 8.7 billion (detected and verified) raw identity-record data are on the surface, deep, and dark web in 2017, that is 182% increase compared to previous year. 44% of this data (around 3.8 billion) are usernames, passwords, and other credential information.

You may hack through credential stuffing

Credential stuffing is a method that hackers use to infiltrate a company’s system by automated injection of breached username/password pairs. We can see credential stuffing in 2017 – OWASP Top 10 critical web application security risks report under the second most critical risk: Broken Authentication. Hackers use credentials to bypass anti-spam and firewall devices and access users’ accounts. Once inside the company network, they can send phishing emails or compromise company systems/data. Note that attackers just need to gain access to only a few account, or just one admin account to compromise the system. According to OWASP report, hackers do money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.


There are even some popular tools to ease credential stuffing. For instance, Sentry MBA can repeatedly try username/password list for a targeted website. It uses an IP address list to route the traffic through so that the source of login attempts vary. It even has built-in OCR capabilities for bypassing CAPTCHA-like counter-measures. Most people use same username/password combination on multiple login sites (cross credential use). If a breach list of a site is acquired, the attackers can use the same list for another site by credential stuffing tools like Sentry MBA. The research shows that 1% to 2% success rate on cross credential use.

owasp top 10

How bad is the situation?

Use of stolen credentials is reported as #1 reason in 2018 Verizon Data Breach Investigations Report with being the cause of 22% of all breaches in 2017. 6 out of 10 confirmed data breaches in 2016 leveraged weak or stolen passwords.

bad situation

Black Kite has one of the largest commercial databases of hacked credentials to uncover client exposure and conducted a survey, which reviews trends and insights from Cyber Risk Scorecard key data points that include detailed external security risk data from cyber risk scoring for  5,217 organizations across multiple industries and over one million active assets on the Internet, including web and network devices. Black Kite found a whopping 95% of respondents had exposed user credentials (for more information download Black Kite Cyber Security Risk Brief 2018).

had exposed user credentials

Industrial based comparison

Black Kite 2018 Cyber Security Risk Brief also provides industry report cards (shown below) that give an industrial-based comparison for different risk categories based on easy-to-understand A-F letter grading. While companies in Financial Services and Technology relatively better in Credential Management (even though they only receive an average score of F), companies in Healthcare, Professional Services, Education, and Retail perform very poorly and receive F.

NormShield 2018 Cyber Security Risk Brief

Simple Steps to Prevent

  • Use 2-factor authentication
  • Change passwords at least quarterly
  • Train employees:
    • Do not use company credentials for personal use (social media, online purchasing, etc. Research shows that nearly 75% of people still use duplicate passwords across multiple systems
    • Use different password for business, personal and banking
  • Monitor cyber data leaks continuously

How to monitor data leaks and manage credentials

There are free tools for searching breach accounts. Black Kite also provides such a free service here. However, a manual search will not be efficient. Black Kite Cyber Risk Scorecard monitors surface, deep, and dark web and provides not only leaked credentials with details but also an assessment of a company’s cyber risk (which can be used for benchmarking).

Normshield Leaked Credential

To act now and learn your cyber risk score on Credential Management among other categories, visit