Category: Credential Stealing

AI Training Data Leak: A Growing Security Nightmare

Posted on by Srishti Chaubey

A recent study by Truffle Security uncovered a massive security flaw—over 12,000 real secrets, including API keys and passwords, were embedded in AI training datasets. These secrets, sourced from Common Crawl’s publicly available web data, included authentication tokens for top-tier services like AWS, MailChimp, and WalkScore.

How Did This Happen?

Common Crawl, a nonprofit that archives vast amounts of web data, is widely used for training AI models, including OpenAI’s ChatGPT, Google Gemini, and Meta’s Llama. However, an analysis of 400 terabytes of data from 2.67 billion web pages in 2024 revealed alarming findings:

  • Over 200 different types of secrets were exposed, with AWS, MailChimp, and WalkScore being among the most affected.
  • 1,500+ MailChimp API keys were hardcoded into front-end HTML and JavaScript.
  • A single WalkScore API key was used 57,029 times across 1,871 subdomains.

This issue is a symptom of a widespread problem: developers frequently leave credentials in code during development and forget to remove them before deployment.

The Bigger Threat: AI-Powered Credential Harvesting

Cybercriminals have long used web scraping to extract sensitive information, but AI models amplify the risk. Since AI is trained on vast amounts of publicly available data, it can inadvertently learn, store, and reproduce these secrets. Even when training data is screened, current filtering mechanisms are not foolproof.

Security firm Truffle Security highlighted another concern—AI coding tools don’t distinguish between safe and unsafe credentials. This means example credentials can reinforce poor security practices, making AI-assisted development a potential security liability.

Beyond Credential Leaks: AI Training Risks Grow

This issue is part of a broader set of security challenges tied to AI training data:

  1. Wayback Copilot Attack – Even if organizations secure private repositories, older versions of their data remain accessible through AI tools like Microsoft Copilot due to search engine indexing.
  2. Jailbreak Attacks – Hackers are finding ways to bypass AI security safeguards and extract confidential data from models.
  3. AI Misalignment Risks – If AI is trained on insecure code, it may unknowingly generate unsafe or hazardous recommendations.

How Organizations Can Protect Themselves

Following the discovery, affected vendors revoked compromised keys, but organizations must adopt proactive security measures to prevent future leaks:

  • Use Environment Variables – Never hardcode secrets in source code. Instead, use secure vaults or environment variables.
  • Automate Secret Scanning – Implement tools like TruffleHog, GitGuardian, or AWS Secrets Manager to detect and remove exposed credentials.
  • Adopt Zero-Trust AuthenticationMove away from passwords entirely with passwordless and zero-trust authentication solutions like PureID to mitigate credential-related risks.
  • Enhance AI Training Data Security – AI providers must improve data sanitization techniques to prevent sensitive information from being included in training datasets.

Conclusion

This AI training data breach underscores a critical cybersecurity concern—the mass scraping of data for AI training can inadvertently expose sensitive information. While vendors have taken corrective action, the industry must rethink security practices in an AI-driven world.

As AI grows more advanced, so must our approach to safeguarding digital identities and authentication systems. It’s time for organizations to embrace a passwordless future and strengthen their security posture against evolving threats.

Stay secure. Stay informed.

The Cyber Battleground: Major Attacks Shaping 2025

Posted on by Srishti Chaubey

The year is 2025, and the cyber war front is more active than ever. Threat actors are refining their tactics, launching sophisticated attacks across industries. From media and infrastructure to encrypted messaging platforms and AI-driven workplaces. Below is a breakdown of the latest high-impact cyber incidents, what they mean for security, and how organizations can stay ahead.

1. The Newsroom Blackout: Cyberattack on Lee Enterprises

On February 3, 2025, a major cyberattack disrupted Lee Enterprises, a leading American media conglomerate, causing print delays and operational chaos. Newspapers like the Post-Dispatch and Casper Star-Tribune struggled to publish content, with parts of the IT infrastructure forcibly taken offline. While the exact attack vector remains undisclosed, the event underscores the vulnerability of media organizations to digital disruptions.

Key Takeaway: Ransomware and IT disruptions in media outlets can impact information dissemination. Cyber resilience planning is crucial for organizations handling sensitive data and tight production schedules.

2. Microsoft KMS Exploited: Sandworm’s Silent Weapon

The infamous Sandworm APT (APT44/UAC-0145) has weaponized Microsoft Key Management Service (KMS) activators, targeting Windows users in Ukraine. The attack leverages pirated KMS tools and fake Windows updates to inject malware, including DarkCrystal RAT (DcRAT), compromising critical systems.

Key Takeaway: Secure software sourcing is critical. Enterprises must enforce strict software policies and monitor for unauthorized activations.

2025 Cyber Attacks: Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally
Credit: Dark Reading

3. PAN-OS Under Siege: Critical Vulnerability in Palo Alto Networks

Security teams are on high alert as Palo Alto Networks confirmed active exploitation of CVE-2025-0108, an access control flaw rated at 8.8 severity. Attackers with network access can bypass authentication and execute PHP scripts remotely. Combined with CVE-2024-9474, this vulnerability grants root-level access.

Key Takeaway: Immediate patching is essential. Delaying updates could be catastrophic.

4. Phishing Strikes Signal: A New Era of Social Engineering

Russian hacking groups (UNC5792 & UNC4221) are targeting Signal users by exploiting QR codes in phishing campaigns. Victims scanning these malicious codes unknowingly grant attackers access to their encrypted conversations. In response, Signal has rolled out new verification mechanisms to counter unauthorized device linking.

Key Takeaway: Users should verify QR codes before scanning and enable multi-factor authentication (MFA) for sensitive accounts.

5. The Fake IT Support Scam on Microsoft Teams

Russian hacking collectives Fin7 and Storm-1811 have been masquerading as IT support personnel on Microsoft Teams, tricking employees into granting access. Once inside, attackers deploy ransomware, encrypting data and demanding hefty ransoms.

Key Takeaway: Organizations must enforce strict identity verification for remote IT support and educate employees to recognize impersonation attempts.

6. Chinese Hackers Escalate from Espionage to Infrastructure Attacks

Volt Typhoon and Salt Typhoon, the two alleged Chinese state-sponsored groups, have shifted focus from corporate espionage to U.S. critical infrastructure. Their primary targets include utilities, ports, and telecom networks, exploiting outdated telecom equipment to infiltrate systems.

Key Takeaway: The attacks highlight the urgent need for infrastructure modernization and proactive cybersecurity measures.

7. Astaroth Phishing Attack: Bypassing 2FA Like Never Before

A new phishing campaign “Astaroth” targets Gmail and Outlook users, bypassing two-factor authentication (2FA) through real-time credential interception. Attackers trick users into entering login credentials and 2FA codes on counterfeit pages, hijacking accounts instantly.

Key Takeaway: Phishing-resistant authentication, such as PureAUTH, and continuous monitoring are essential for protection.

Final Thoughts: The Road Ahead

As cyber threats evolve, businesses and individuals must adopt a proactive security stance. The key takeaways:

  • Patch vulnerabilities immediately: Delayed updates remain a hacker’s best friend.
  • Implement Zero-Trust security: Don’t trust, always verify.
  • Educate employees on phishing threats: Human error remains a top attack vector.

Cybersecurity in 2025 is a battleground. Staying ahead requires vigilance, smart investments, and a commitment to continuous security improvements. The question isn’t if you’ll be targeted, it’s when. Are you ready?

Read Also:

Microsoft Reveals Russian Hack: Executives’ Emails Compromised

Passwords Leaked : Microsoft in Trouble

BeyondTrust Breach: A Wake-Up Call for Cybersecurity

Posted on by Srishti Chaubey

Introduction

Imagine this: An organization that promises to protect your passwords and block unauthorized access falls victim to the very attack it aims to prevent. That’s exactly what happened to BeyondTrust, one of the well-known companies in the privileged access management space, when attackers targeted their Remote Support SaaS instances earlier this month. The breach exposed a serious vulnerability CVE-2024-12356 that allows attackers to execute commands remotely. Though BeyondTrust responded with swift patching of the problem, the incident leaves several tough questions regarding the exploitations that can even take place against the best of defenses.

Beyond Trust breach vulnerability
Credit: Bleeping Computer

What Went Wrong in the BeyondTrust Breach?

On December 2, 2024, BeyondTrust noticed something unusual: attackers had seized an API key for their Remote Support SaaS. This gave them the power to reset application passwords and gain unauthorized access.

As they investigated, BeyondTrust uncovered two vulnerabilities:

  • CVE-2024-12356: A critical flaw that scored 9.8 out of 10 in severity and lets attackers inject commands remotely.
  • CVE-2024-12686: A medium-severity bug that allows attackers with admin privileges to upload malicious files.

What’s worse, CVE-2024-12356 wasn’t just a hypothetical risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that attackers were already exploiting it in the wild.

The Irony

It’s hard to ignore the irony. BeyondTrust promised to protect against attacks like remote code execution and password theft, but attackers breached its defenses.

This isn’t the first time BeyondTrust has faced such a challenge. Last year, the company confirmed they were targeted after the Okta breach, underscoring how interconnected cybersecurity threats have become.

This is not BeyondTrust’s story alone but a stark reminder that no company, not even cybersecurity experts, is perfectly immune to attacks.

Why It Matters for Businesses

Thousands of organizations in healthcare, retail, and banking use BeyondTrust’s tools. A breach like this doesn’t just affect the company; it ripples out, impacting businesses that rely on their tools.

Here’s why this should matter to you:

  • Eroded Trust: Clients might start questioning the reliability of their systems.
  • Raising Risk: Exploited vulnerabilities can lead to data theft, operational issues, or worse.
  • Supply Chain Woes: If a key vendor is breached, one asks themselves how secure third-party software really is.

What You Can Do to Protect Your Business

Whether or not you use BeyondTrust’s products, it is a good time to take stock of your security practices. Here’s what you can do right now:

  1. Patch Your Systems: Update to the latest versions of BeyondTrust’s PRA and RS software.
  2. Check for Signs of Trouble: Review logs for unusual activity linked to API keys.
  3. Limit Your Exposure: Disable any unnecessary features and limit your access to the internet.
  4. Be Alerted: Monitor updates from BeyondTrust and cybersecurity agencies such as CISA.

Conclusion

The BeyondTrust breach is a reality check for everyone. Even the most trusted cybersecurity companies can get caught in the crossfire. It’s a reminder that no system is invincible and that vigilance is non-negotiable.

This means that organizations go beyond trust—pun intended—and actively work toward making their defenses stronger. They should update early, monitor their systems, and never assume they are safe. In today’s evolving world of cyber threats, one can only protect what matters most by staying a step ahead.

Storm-0501: Unveiling the Tactics Behind Multi-Stage Hybrid Cloud Attacks

Posted on by Srishti Chaubey

Introduction

The global cloud services market, valued at $551.8 billion in 2021, is projected to reach $2.5 trillion by 2031. This explosive growth makes cloud environments a prime target for cyber criminals. One such group is Storm-0501, an extortion-orientated cyber crime group that’s been conducting multi-stage attacks against hybrid cloud environments in government, manufacturing, transportation, and law enforcement. Since its inception in 2021, Storm-0501 has changed its operations, shifting from targeting U.S. school districts to running RaaS operations. This blog post explains the tactics, techniques and procedures (TTPs) of the group to help improve organizational defenses with mitigation strategies.

Storm-0501 TTPs: Steal Technique

Initial Compromise and Discovery

Storm-0501 has traditionally obtained initial access using compromised credentials or exploitation of known vulnerabilities in systems with widespread use. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho, ManageEngine (CVE-2022-47966), Citrix, NetScaler (CVE-2023-4966), and ColdFusion (possibly CVE-2023-29300 or CVE-2023-38203). After gaining entry into the target network, it conducts extensive exploration using several tools to find high-value assets, obtain credentials, and increase privileges.

Lateral Movement and Credential Theft

Storm-0501 uses Impacket’s SecretsDump and Cobalt Strike to move laterally across the network grabbing credentials to compromise additional devices. They target the administrative accounts, mostly utilizing password reuse or weak credentials, accessing both their on-premises and cloud environments. Using cloud session hijacking, especially in Microsoft Entra, they establish persistent backdoor access into the target systems.

From Ground to Cloud: Storm-0501’s Cross-Environment Exploits

One of the most significant tactics Storm-0501 uses is the exploitation of the Microsoft Entra Connect Sync service by doing synchronization of credentials between the on-premises AD and cloud. The attackers escalate the privileges in both environments after compromising the sync accounts to have control over the cloud environment and for a persistent backdoor for the next attack.

Storm 0501 Exploit
Credit: Microsoft

Aftermath of the Storm-0501 Attack

The aftermath of a Storm-0501 attack can be devastating, with the group often gaining control over both on-prem and cloud environments, exfiltrating sensitive data, deploying ransomware, and tampering with security products to avoid detection. The threat will only increase with the new deployment of Embargo ransomware, where victim data is encrypted and sensitive information leaked unless a ransom is paid.

Such attacks would lead to the stealing of credentials, data breaches, service disruptions, and heavy financial losses. Storm-0501 pays extra attention to sensitive sectors such as hospitals, which raises stakes not only on data security but also public safety.

Mitigation

Hybrid Cloud Security Enhancement

While Microsoft has implemented restricted permissions on DSA roles in Entra Connect Sync and Entra Cloud Sync, defending Storm-0501 needs a robust, multi-layered approach. Conditional Access policy can further harden access to cloud services from non-verified devices and locations as a risk mitigation approach.

Harden Cloud Security Measures

Even solutions proposed by today’s market leaders such as Microsoft are still often based on passwords in most cases and, hence, would probably fail to deliver proper authentication in a much-enlarged, cloud-to-on-premises environment. Therefore, organizations should embrace solutions such as PureAUTH IAM Firewall that come with the strongest security and reliability against attacks exploiting credentials and even zero-day vulnerabilities. Built on a zero-trust architecture, it provides reliable, passwordless protection, further enhancing resilience against sophisticated threats.

Conclusion

Organizations need to move away from convenient and conventional IAM solutions and start interacting with leading edge defenses, such as passwordless authentication. Enhancing cloud security policies and infrastructure defenses will enable enterprises to withstand new cyber threats.

Solutions like PureAUTH will help organizations build a far more robust infrastructure that is not only adaptable but will also neutralize the most sophisticated cyber threats in existence.

Read Also

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

The achilles’ heel of cloud security: Why two-factor authentication isn’t enough

RockYou2024: Nearly 10 Billion Passwords Leaked Online

Posted on by Srishti Chaubey

Introduction

On July 4, 2024, the cybersecurity community was rocked by the discovery of RockYou2024, the largest password compilation leak in history. This staggering breach, revealed by a Cybernews research team, includes nearly 10 billion unique plaintext passwords. The massive dataset, posted on a popular hacking forum, presents severe security risks, especially for users prone to reusing passwords.

The RockYou2024 Password Leak

The RockYou2024 password leak, tracked as the largest of its kind, was unveiled by Cybernews researchers. The file, named rockyou2024.txt, contains an astounding 9,948,575,739 unique plaintext passwords. The dataset was posted by a user named “ObamaCare,” who has a history of leaking sensitive information. This compilation is believed to be a mix of old and new data breaches, significantly increasing the risk of credential stuffing attacks.

Credit: Cybernews

A Brief History of RockYou

The RockYou series of password leaks dates back to 2009, when the original RockYou breach exposed over 32 million user account details. In 2021, the RockYou2021 compilation, containing 8.4 billion passwords, set a new record at the time. RockYou2024 expands on this legacy, adding another 1.5 billion new passwords, making it the largest password dump to date.

Impact and Exploitation Risks

The RockYou2024 leak poses significant dangers due to the vast number of real-world passwords it contains. Cyber-criminals can leverage this data to execute brute-force attacks, attempting to gain unauthorised access to various online accounts. Combined with other leaked databases containing usernames and email addresses, RockYou2024 could lead to widespread data breaches, financial fraud, and identity theft.

How to Protect Against RockYou2024

Reset Compromised Passwords

Immediately reset passwords for any accounts associated with the leaked data. Ensure new passwords are strong, unique, and not reused across multiple platforms.

Enable Multi-Factor Authentication (MFA)

Enable MFA wherever possible. This adds an extra layer of security by requiring additional verification beyond just a password.

Implement Passwordless Solutions

Adopting passwordless solutions can further enhance security. SAML-based passwordless solutions, such as Single Sign-On (SSO) systems, eliminate the need for passwords by using secure tokens for authentication. These solutions reduce the risk of password-related attacks and improve user convenience.

Monitor Accounts and Stay Informed

Regularly monitor accounts for suspicious activity and stay informed about the latest cybersecurity threats and best practices.

Conclusion

This recent breach highlights how fragile and unsafe passwords are, underscoring the need for more secure authentication methods. The RockYou2024 leak demonstrates that even with strong, unique passwords, the risks remain significant. Multi-factor authentication (MFA), while an added layer of security, is not foolproof. For example, MFA breaches such as the 2022 Uber hack and the attack on Microsoft’s Office 365 users in 2021 show its vulnerabilities.

Additionally, password managers are not entirely reliable. The Okta breach in 2022 and the OneLogin breach in 2017 exposed millions of user accounts, demonstrating that even these tools can be compromised.

In light of these risks, passwordless systems are emerging as the next hot trend in cybersecurity. SAML-based passwordless solutions, like PureAuth, provide enhanced security by eliminating the need for passwords and reducing the attack surface for cybercriminals.

Embracing passwordless systems, combined with continuous monitoring and updated security practices, is essential for protecting against the evolving threat landscape. Stay ahead of cyber threats by adopting innovative authentication methods and ensuring your digital assets are well-protected.

SnowBall effect of Snowflake Breach

Posted on by Srishti Chaubey

Executive Summary

Snowflake an American cloud computing–based data cloud company, identified a breach in June 2024, which had far-reaching implications for various organisations. Attackers exploited stolen credentials from a Snowflake employee, enabling unauthorised access to sensitive customer data, including credentials and access tokens. This breach was exacerbated by bypassing Okta’s security measures, allowing the attackers to generate new session tokens and access extensive customer data without detection.

Key Affected Customers:

Attack Method

  • Credentials Theft: Initial access through compromised employee credentials
  • Bypass Mechanism: Circumvention of Okta Security Protocols
  • Exploitation: Generation of new session tokens to access databases and steal data
Attack Path Diagram
Credit: The Hacker News

The Domino Effect

The Snowflake breach has created a domino effect, where the initial compromise has led to multiple subsequent breaches. This incident mirrors the earlier Okta breach,, where attackers leveraged stolen credentials to infiltrate various organizations.

Domino Effect of Snowflake Breach

Companies affected include:

  • Ticketmaster: Reported unauthorised access to sensitive data.
  • Advance Auto Parts: Experienced data theft, with stolen information now for sale on dark web marketplaces.
  • Santander Bank: Compromised customer data led to financial and reputational damage.
  • Hugging Face, Quote Wizard, Lending Tree: Also reported breaches, with more organizations likely to follow .

Inherent Weaknesses in Traditional IAM Solutions

Password + MFA Based Authentication:

  • Reliance on passwords makes systems vulnerable to phishing and credential theft.
  • Multi-Factor Authentication (MFA) is often ineffective as attackers can bypass Password + MFA protection mainly by phishing or using a compromised device.
  • Social Engineering attacks have shown that phishing resistant MFA like FIDO keys, & passkeys can prove to be ineffective & can be easily disabled or reset.

IAM Blind Spots:

Apart from reliance on vulnerable passwords for identifying user. The existing IAM solutions are blind to following risks

  • Connection Risk – Traditional IAM solutions lack visibility of user connections. They cannot know whether an authentication request is coming from an authorised actor or an attacker in the middle.
  • User’s Device Risk – They also do not account for the type & security posture of user’s devices, leaving systems exposed to malware and remote monitoring, as seen in the Uber incident.

Impact Assessment

The Snowflake breach is termed as the biggest data breach so far and it’s cascading effect has led to numerous organisations reporting security incidents & data breach. 

The amplification effect could potentially lead to a vast number of downstream breaches, escalating the overall impact.

Impact of Snowflake Breach
Credit: XQ

Towards a Secure Future

Challenges with Current Solutions:

  • Time and again Password + MFA based systems are proven to be ineffective against simple attacks like phishing & social engineering.
  • There is a pressing need for more robust authentication mechanisms.

Protect your Enterprise, #GoPasswordless with PureAUTH

FIDO Solutions like Passkeys and hardware tokens focus on giving users a passwordless experience keeping the passwords on the server as the primary way to identify and authenticate users.

PureAUTH Platform on the other hand provides a comprehensive passwordless approach, eliminating the passwords from server side & not just from user side. PureAUTH is the only solution that protects an organisation against phishing, social engineering, frauds & all types of credential-based attack.

To learn more about PureAUTH & how it protects your existing IAM systems like Okta, OneLogin, CISCO Duo, or Azure AD in just 60 minutes at Zero Cost – get in touch with us

Related Blogs

Okta Warns Customers of Credential Stuffing Attacks

Unpacking Okta’s Recent Security Breach

Dell Data Breach: 49M Customer Records Exposed

Posted on by Srishti Chaubey

In a data breach that has caused anxiety about security and privacy, Dell, a technology hardware giant, has admitted to its occurrence having affected 49 million customer records. The unsecured API linked to a partner portal allowed hackers to swipe a huge amount of information about customers from Dell’s database.

Dell Data Breach Customer Records: Source Daily Dark Web
Dell customer data on Breach Forums
Source: Daily Dark Web

Methodology of the Breach

The hacker, known as Menelik, shared his methodology with TechCrunch .

“Believe me or not, I kept doing this for nearly 3 weeks and Dell did not notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up,” Menelik said.

Dell on the other hand, responded with “Let’s keep in mind, this threat actor is a criminal and we have notified law enforcement.”

  • Exploiting Partner Accounts: The threat actor created multiple “partner” firms known by different names for multiple accounts thereby leading in access to sensitive customer records.
  • Scraping Customer Data: They stole huge amounts of client data directly from Dell’s servers including personal particulars and purchase information.
  • Persistence and Volume: For nearly three weeks, the perpetrator launched an unyielding onslaught of appeals that led to almost 50 million records.
  • Reporting:  They emailed Dell on April 12th and 14th to report the bug to Dell security team
Dell Data Breach Customer Records: Email to Dell from Menelik
Email sent to Dell about partner portal flaw
Source: Menelik

“Prior to receiving the threat actor’s email, Dell was already aware of and investigating the incident, implementing our response procedures and taking containment steps. We have also engaged a third-party forensics firm to investigate.”

Stolen Data Details

The exposed data has customer order data, including warranty information, service tags, names, locations, customer numbers, and order numbers.

The hacker, Menelik says the stolen customer records include the following hardware breakdown:

  • Monitors: 22,406,133
  • Alienware Notebooks: 447,315
  • Chromebooks: 198,713
  • Inspiron Notebooks: 11,257,567
  • Inspiron Desktops: 1,731,767
  • Latitude Laptops: 4,130,510 
  • Optiplex: 5,177,626
  • Poweredge: 783,575
  • Precision Desktops: 798,018
  • Precision Notebooks: 486,244
  • Vostro Notebooks: 148,087
  • Vostro Desktops: 37,427
  • Xps Notebooks: 1,045,302
  • XPS/Alienware desktops: 399,695

Mitigation Efforts

Incident response protocols were deployed by Dell, containment strategies were employed, and external forensic experts were contracted to investigate and fix vulnerabilities.

Conclusion

Dell has advised customers to remain vigilant at all times by reporting any suspicious activities associated with their accounts or purchases as soon as possible.

Dell Email to Customers

The 49 million customer purchase data between 2017-2024 looks like the perfect phishing bait. Anyone posing as dell representative can trick users into clicking links and being set up for credential theft.

We need to prevent a phishing incident like those that rocked Okta, Dropbox and Lastpass. It becomes imperative to fortify your organization with robust authentication methods. Embracing passwordless authentication could be precisely the solution needed. After all, if you don’t possess traditional credentials, they can’t be stolen, can they?

Read Also

Massive Data Breach: 125 Million Records Exposed Due to Firebase Misconfiguration

Okta Warns Customers of Credential Stuffing Attacks

Posted on by Srishti Chaubey

In a recent advisory, Okta, a leading identity and access management services provider, sounded the alarm over a rise in credential stuffing attacks targeting online services. Let’s delve into the details of this warning and understand the implications.

Overview of the Threat

Okta reported a significant increase in the frequency and scale of credential stuffing attacks against online services in recent weeks. These attacks have been fuelled by the widespread availability of residential proxy services, lists of previously stolen credentials, and automation tools. The surge in attacks poses a severe threat to the security of user accounts and sensitive data.

Observations by Security Experts

Duo Security and Cisco Talos also observed large-scale brute-force attacks against various targets, including VPN services, web application authentication interfaces, and SSH services. The attacks, originating from TOR exit nodes and other anonymizing tunnels and proxies, targeted VPN appliances and routers from multiple vendors.

Modus Operandi of Credential Stuffing Attacks

Credential stuffing attacks involve the automated trial of username and password combinations obtained from previous data breaches or phishing campaigns. Threat actors exploit the reuse of login credentials across multiple accounts, attempting to gain unauthorised access to compromised accounts.

Recommendations for Organisations

  • Enable ThreatInsight in Log and Enforce Mode for proactive IP address blocking.
  • Deny access from anonymizing proxies to prevent attacks from dubious sources.
  • Switch to Okta Identity Engine for enhanced security features.
  • Utilize CAPTCHA challenges and passwordless authentication with Okta FastPass.
  • Implement Dynamic Zones to manage access based on geo-location and other criteria.
Okta's Warning on Credential Stuffing Attacks
Blocking anonymized requests from Admin Console > Settings > Features
Okta

Implementing these recommendations can fortify an organisation’s defence against credential stuffing attacks, ensuring a safer online environment for users and stakeholders.

Conclusion

Credential stuffing attacks pose a significant threat to the security of online services and user accounts. By heeding Okta’s warning and implementing robust security measures, Okta customers can better protect themselves against these malicious activities and safeguard their sensitive data.

Another approach to create a safer cyber world is to not use the typical password based authentication. By eliminating passwords, organizations can improve their defences, increase security and reduce the risk of future incidents. Typical cyber attacks such as Credential Stuffing are not applicable to Passwordless authentication, so the best way to move forward is to #gopasswordless

Read Also

Unpacking Okta’s Recent Security Breach

Okta Breach Part 2: Unveiling the Full Scope and Impact

Google 2FA Breach: Rethink Authentication Security

Posted on by Srishti Chaubey

In today’s digital landscape, safeguarding our online presence is paramount. Two-factor authentication (2FA) has emerged as a crucial tool in this endeavour. Platforms like Google and Facebook offer 2FA to bolster account security. However, there have been multiple incidents revealing vulnerabilities in this system, prompting concerns among users.

The Case of the Bypassed 2FA

Recent reports unveiled breaches in Gmail and YouTube accounts despite 2FA activation. This revelation underscores a fundamental truth: security with passwords, along with 2FA or MFA is fallible. Hackers continuously adapt their tactics, exploiting weaknesses even in trusted systems like 2FA.

Credit : Forbes

Understanding the Bypass

While the exact method remains undisclosed, hackers may employ various strategies to circumvent 2FA. According to Forbes, It’s probable that these users fell prey to what’s known as a session cookie hijack attack. Typically initiated through a phishing email, hackers direct victims to a counterfeit login page. Upon entering their credentials, users are prompted to complete a simulated 2FA challenge, which they unwittingly comply with.

The Role of Vigilance

Despite these challenges, I would personally suggest moving away from systems that solely rely on 2FA for authentication. But in the extreme case where abandoning 2FA is not the solution, users must adopt additional measures to enhance their security posture.

Secure Alternative to 2FA/MFA

As we have seen numerous instance of 2FA & MFA getting by passed, enterprises need better methods to secure access to their resources. PureAUTH Secure IAM platform provides Zero Trust -Passwordless access and protects enterprises from following type of attacks

  1. Password Spraying & brute forcing attacks
  2. Credential Phishing, Push fatigue and Adversary in the middle attacks
  3. Public Key replacement attacks targeted at solutions using Public Key based authentication like FIDO keys
  4. Social Engineering attacks to reset user credentials and reset or disable MFA/2FA
  5. Abuse of shared credentials or leaked credentials and in general credential stuffing attacks

Elevating Security: Going Beyond 2FA

Security is an ongoing journey, requiring a multifaceted approach. While the challenges of bypassing 2FA are evident, there’s a growing trend towards passwordless authentication methods. Embracing secure identity and access management technologies, adopting a zero-trust architecture are some promising alternatives. By adapting these alternatives and staying vigilant, users can reinforce their online security against the ever-evolving tactics of cyber criminals.

PureID offers solutions that curate a robust defence against unauthorised access, heralding a more secure digital future for organizations. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cybersecurity landscape with renewed strength. The journey continues—Passwordless Authentication awaits.

Read Also

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds

© 2025 | PureID. All Rights Reserved

Privacy & Terms | Licenses