This week, Schneider Electric confirmed that it is investigating a security incident involving its JIRA internal development platform. The attacker group, “Grep,” allege that it stole 40 GB of data from the JIRA platform by using stolen credentials, including “75,000 unique email addresses and full names for Schneider Electric employees and customers.” Grep posted on a dark web site that it is demanding $125,000 to not leak the data.
The attack highlights the growing problem of stolen credentials and how attackers are using them to easily penetrate company networks, platforms, applications, and accounts. The incident was supposedly facilitated with stolen credentials related to the JIRA platform. That means that one of the developers’ credentials were stolen, leaked, and used to access the platform and exfiltrate internal proprietary information. The same intrusion is possible for any application or account accessed through a username and password.
For instance, this week, The Hacker News posted that “cybersecurity researchers have flagged a ‘massive’ campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.” The campaign has collected over 15,000 stolen credentials.
According to Verizon’s 2024 Data Breach Report, “over the past 10 years, the use of stolen credentials has appeared in almost one-third (31%) of all breaches.” My prediction is that this number will grow over the next 12 months.
The use of stolen credentials to attack companies is not limited to any one industry. The attack on Change Healthcare, one of the largest data breaches in the healthcare industry, also used stolen credentials.
There is an entire criminal industry devoted to stealing credentials, known as “infostealers.” Wired magazine interviewed a hacker who calls themselves Dark X that said “they logged in to a server and stole the personal data of 350 million Hot Topic customers” and that the theft was a matter of luck. “They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels.”
The bottom line is that to combat this growing problem of infostealers and credential theft we must enforce the use of strong pass phrases and password resets, monitor stolen credential sites, move to passwordless authentication, and educate our employees about the problem of stolen credentials and how they are being used to attack our companies. This includes every single credential employees or developers have that allows access to any company data. Employees must understand the importance of not using credentials across platforms and to report any suspected leak of credentials as soon as they are aware of it.
For more information on the impact of stolen credentials and why hackers are obsessed with them, go to https://www.bleepingcomputer.com/news/security/point-of-entry-why-hackers-target-stolen-credentials-for-initial-access/.