Cybercriminals are increasingly exploiting stolen or compromised credentials to gain unauthorized access to systems, and this trend has seen a surge in recent years. According to IBM, credential-based attacks have risen by 71% year-over-year.
Recorded Future has also observed an increase in harvested credentials, with a 135% rise in the past year. Worrisomely, many of these credentials are bundled with cookies, allowing attackers to circumvent MFA safeguards.
This trend is corroborated by industry reports from Mandiant and Cisco Talos. Mandiant's M-Trends reports have identified stolen credentials as a top-five initial intrusion method for the past two years. Cisco Talos researchers have similarly highlighted the prevalence of valid account exploitation as a common attack technique.
Despite the critical nature of this threat, security teams often face overwhelming volumes of stolen credential alerts, many of which are inaccurate, recycled or outdated. And threat intelligence solutions used to identify stolen credentials come with their challenges as well.
Stolen passwords have a chance to appear in intelligence as new breaches, but the data is actually a recycled combolist, or an aggregated list of lists, rather than a new incident. Also, Infostealer threat intel can stem from a personal device that was compromised and once accessed corporate assets, but is no longer active or using that password.
Additionally, threat intelligence sources may alert on stolen credentials for a specific app following a breach. However, the creds are no longer in use there. With password reuse being a common practice, they could still be used on a different high-value app.
So, what can be done to help security teams act swiftly on verified threats without wading through unreliable or redundant TI data?
Push Security has a new capability for that.
Push Security, a pioneer in identity threat detection and response (ITDR), helps security operations teams to detect and stop attacks before user accounts can be compromised with its browser-based ITDR platform designed to detect attack techniques used earlier in the kill chain such as phishing, AitM/BitM toolkits, credential stuffing, session hijacking and more.
Recently, Push Security unveiled its verified stolen credentials detection capability, a new feature designed to reshape how security teams combat identity threats.
By analyzing threat intelligence on stolen credentials and comparing it against active credentials in customer environments, the Push platform eliminates false positives. It delivers only actionable alerts to help organizations protect compromised workforce identities.
Simply put, Push Security's approach is to create fingerprints of potentially stolen passwords by salting, hashing and truncating them and then sending these fingerprints to the browser agent for comparisons. In this way no password material ever leaves the secure browser context.
"Many TI vendors excel at collecting data from hard-to-access sources, but security teams are often overwhelmed by false positives," said Jacques Louw, co-founder and Chief Product Officer at Push Security. "With low actionable intelligence rates and recycled credentials muddying the waters, alerts are frequently ignored or feeds disabled. Our verified stolen credentials detection capability cuts through the noise, providing only verified threats that teams can act on immediately.”
This new capability is included at no additional cost for Push Security customers and is integrated into the existing platform, which makes it easier to leverage powerful threat intelligence data without further operational burden.
To learn and understand how to take your MSP to the next level, don’t miss MSP Expo 2025. Taking place February 11-13, 2025, in Fort Lauderdale, Florida, MSP Expo is the premier event for MSPs, offering a three-day experience combining conference education focused on growth strategies, networking opportunities, an exhibit hall full of the latest technologies and solutions to help MSPs build their businesses.
Edited by
Alex Passett
