Compromised credentials

What is Compromised Credentials

Compromised credentials refer to access tokens, API keys, encryption keys, or other non-human identities that have fallen into the wrong hands, either through theft, exposure, or negligence. These secrets are vital to keeping the inner workings of applications and cloud services secure. When compromised, they can be a golden ticket for attackers to infiltrate systems, exfiltrate data, and wreak havoc.

In 2023, a credential stuffing attack at 23andMe resulted in the theft of DNA Relatives profiles (approximately 5.5 million) and Family Tree feature profiles (approximately 1.4 million). This incident underscores how companies handling sensitive genetic information are vulnerable without robust secrets management.

How credentials are compromised

1. Credential stuffing attacks: Cybercriminals love to reuse secrets. A stolen access token from one breach can unlock unrelated systems if reused (hint: don’t). For example, in December 2022, login credentials for 35,000 PayPal users were compromised, highlighting the devastating effects of credential stuffing.
2. Hardcoded secrets: Think of embedding non-human identities into application code and then pushing it to public GitHub repos. Once a secret is exposed in the wild, anyone with access can misuse it.
3. Phishing scams: Old-school email scams can trick even savvy developers into handing over access to APIs and cloud services.
4. Misconfigured permissions: Over-provisioned or mismanaged secrets are an attacker’s dream. “Why does this access token for uploading files to S3 also allow it to delete databases?” A question you don’t want to ask too late.

Detecting compromised credentials

The non-human identities management landscape is full of tools that promise much but deliver little. Many fall short by offering limited scanning capabilities, as they only look at specific environments or types of secrets, leaving gaping blind spots. 

Additionally, these tools often lack contextual understanding, which renders a detected secret almost useless without knowing why it is there or what it is used for. To make matters worse, many solutions are disjointed, providing piecemeal approaches that fail to integrate seamlessly across the entire development lifecycle. These gaps leave organizations vulnerable, underscoring the importance of a comprehensive and context-aware solution.

Spotting compromised credentials before chaos ensues is both an art and a science.

Key methods:

1. Anomaly detection: Have you ever noticed an API key making requests from two different continents simultaneously? That’s not a magic trick; it’s likely a breach.
2. Usage pattern monitoring: Track how, where, and when secrets are being used. A secret suddenly accessing systems that has never been touched before? Red flag.
3. Metadata enrichment: Add context to your secrets. Knowing what a key is supposed to do (and not do) is vital for identifying misuse.
4. Continuous scanning: Regularly search source code repositories, configuration files, and other environments for exposed secrets. Because secrets like to hide in plain sight.

Mitigating the risk of compromised credentials

If compromised credentials are a problem, proactive secrets management is the solution. A cybersecurity incident response plan will ensure that if your business’s non-human identities are attacked, you have a plan in place.

Best practices:

1. Principle of least privilege: Only grant secrets the minimum permissions needed to perform their tasks. An API key doesn’t need global admin privileges.
2. Audit and monitor: Regularly review secrets, monitor usage, and investigate anomalies. Lazy secret management is a recipe for disaster.
3. Avoid sharing secrets directly: Use secure sharing mechanisms. Forget emailing that encryption key or pasting it into a Slack chat.
4. Educate developers: Empower teams with knowledge about secure coding practices and secrets management. Awareness is half the battle.

How Entro solves the compromised credentials conundrum

Entro scans platforms, clouds, repositories, and environments to ensure nothing slips through the cracks. But it doesn’t stop at detection. Entro enriches secrets with metadata, adding valuable context to help you understand their purpose and compliance requirements. Anomaly detection, PoLP, and continuous monitoring ensure you’ll know if a secret behaves suspiciously, like trying to access a system it has no business knowing about.