It doesn’t seem fair. For years, we’ve pen tested companies and highlighted that strong password policies are essential.
An example being:
Figure 1 shows a common password policy recommendation
On paper, these are all excellent practices, and they remain vital. But there’s a common risk that none of these measures can fully protect against: the Dark Web - credentials and session data being stolen from compromised devices and sold online.
In today's threat landscape, unfortunately, good passwords are no longer enough on their own.
This article explores the issue, including an example where even a solid configuration wasn’t sufficient enough to prevent account compromises.
Cybercriminals are spending less time guessing passwords. Instead they use info stealer malware, malicious software that silently collects data from compromised endpoints. Worse still, they can just buy the data they don’t need to create and deploy the malware themselves.
This data often includes:
Corporate and personal credentials
Browser cookies and session tokens (this can facilitate bypassing MFA)
Auto-filled form data
Cloud service logins like Microsoft Office 365
Once harvested, these “stealer logs” are packaged and sold across underground markets, forums, and even private Telegram channels. That means an employee could have a perfectly strong, unique password, but if their device was compromised, those credentials may already be in the hands of an attacker in plain text.
To make matters worse, with the right stolen cookie, an attacker might be able to log in as the employee without ever being prompted for a second-factor authentication. Even a password alone can be enough to compromise an account, as demonstrated in the next section.
Recently, we encountered a case that illustrates this problem perfectly.
A company asked us to carry out a penetration test of their O365 but declined a configuration review. Confident in their setup, they wanted real-world validation instead. They had already implemented some good controls:
Password length and complexity were above industry standards
Password deny lists
Lockout thresholds
MFA on all accounts
By all traditional measures, they sounded secure but along came info stealer data.
The data was collected quickly, and we confirmed three employee credentials stolen by info stealers as valid.
Two of the accounts were checked for MFA requirements against other endpoints and were well configured with no trivial bypasses.
Figure 2 shows MFA is required, "NO" meaning MFA is required
However, one of the accounts had skipped MFA setup, and the configuration allowed us to bypass MFA during the assessment.
Figure 3 shows the prompt after entering the leaked password
Figure 4 shows the option to set MFA
Although some improvements were recommended regarding the company's policy, the biggest takeaway was to recognise that the threat landscape has shifted.
This shift is why forward-looking CISOs are now focusing on threat exposure management. Instead of assuming internal policies alone will keep them safe, they are actively monitoring what’s happening outside their network:
Are employee credentials being sold in underground forums?
Have session cookies or tokens been compromised?
Are secrets or API keys exposed on public GitHub repositories?
CybaVerse makes this possible by continuously scanning the dark web, clear web, and illicit channels. This gives organisations a clear view of what attackers see, so they can act before stolen data is weaponised.
While no defence is perfect, there are several steps every security team should take to mitigate this risk:
Monitor for leaked credentials. Don’t wait for a breach to find out your employees’ logins are circulating online.
Harden endpoint security. Implement detection and response to limit the damage if a compromise were to occur.
Review MFA coverage. Ensure MFA is enforced everywhere it should be and consider more phishing-resistant options such as FIDO2 or hardware tokens.
Limit access to corporate data to corporate devices. This reduces the risk of info stealers being effective in the first instance.
Invalidate sessions quickly. Be prepared to revoke stolen cookies and tokens when suspicious activity is detected.
Integrate exposure intelligence into incident response. Treat leaked credentials the same way you would treat any other compromised asset.
Strong passwords still matter. MFA still matters. But on their own, they are no longer enough. Attackers do not need to guess your users’ credentials; they can simply buy them.
So the question for every organisation is this:
If your employees’ credentials were already on the dark web, would you know?
With proactive monitoring and threat exposure management, the answer can be yes. That visibility is often the difference between an attempted breach and a successful one.
If you want to learn more about how CybaVerse can help you detect and remediate exposure before attackers can exploit it, please get in touch here.