The Coming Tsunami of Leaked Credentials

December 26th, 2004. A powerful but mostly silent earthquake took place off the coast of northern Sumatra in the Indian Ocean. While beach goers on the eastern coast of India noticed the strange phenomena of the sea receding a few hundred yards, no one put “two and two” together based on this scant evidence. The resulting catastrophe only several hours later would come to be known world-wide as the massive Indian Ocean Tsunami of 2004.


Symptoms of a Growing Tsunami in Cybersecurity

Over the course of the last couple years, certain “earthquakes” on the cybersecurity landscape have created a new wave of threats that have been growing and gaining in magnitude, momentum and probability.

As past massive data breaches such as Yahoo!, LinkedIn, Ashley Madison, FriendFinder, MySpace, DropBox and others have taken place, the Dark Web has quietly built databases consisting of billions of credentials, many of which provide undetectable, exact-match open doors into companies and their data world-wide.

Over the spring and summer of 2017, of the major breaches reported in the news, one-half to two-thirds have had some form of compromised credentials vector associated with them with several of these breaches happening in the cloud.

As with the unusual sight of the ocean receding just before the tsunami struck India, we are witnessing parallel seismic events in cybersecurity. The “earthquake” of billions of stolen credentials has already taken place and will continue! Companies are already experiencing breaches based solely on undetectable access made possible by matching credentials from these massive data breaches – a cybersecurity tsunami in the making.

Sound exaggerated?! A recent report by Thycotic states that the total number of user and privileged accounts at risk by 2020 will reach 300 billion. The report goes on to state that in 2016 alone, 3 billion user credentials and passwords were stolen with 8.2 million stolen every day or approximately 95 passwords per second.


Throw Away Cybersecurity Business-As-Usual

If this is the case – and as stated, recent signs are already pointing to the increased occurrence of this type of attack – then businesses and their cloud providers must throw away cybersecurity business-as-usual.

As companies flock to the cloud for increased security, better operational capabilities and better bottom-line performance and cost savings; providers, authenticators, single sign-on vendors (IDaaS) and third party cloud access security brokers (CASBs) must align their offerings to protect and assist their customers against this type of attack.

When one peruses the standard glut of articles on cloud security, nearly every article makes it clear that securing access, authentication and authorization – standard Identity Access Management – is essential to securing data assets in the cloud. This is not to mention merely operability but also, looming in many cases, existability.

Imagine an entire data center in the cloud simply erased using a few dozen easily executed commands! These types of events are completely within the realm of possibility most especially when golden access can be easily achieved, undetected, using leaked and stolen credentials. Seismic events become not only possible but increasingly probable with each cybersecurity credentials earthquake.


Detection, Analysis & Early Warning Systems Are Required

If detection systems, predictive analysis and early warning systems had been in place before the Indian Ocean Tsunami event of 2004, it’s easy to say tens of thousands of lives would not have been lost. Those detection systems and early warning preventative measures are now most certainly in place.

Hindsight is always 20/20. Cybersecurity is about applying forward-thinking insight into what lies directly ahead based on probability and risk. Detection, early warning and remediation of silent and undetectable compromised credentials is not only possible, but now essentially required. NIST itself recognized this and recently issued requirement guidelines for identity providers (IdPs) to screen passwords against lists of commonly used or compromised passwords obtained from breach corpuses.

This type of essential control and intelligence easily maps directly into prevention, detection, analysis, early warning, alerting and remediation security frameworks such as NIST and SANS according to use cases around AuthN/AuthZ, Continuous Monitoring and Remediation, and Post-Major Breach Remediation. That is to say, after every major industry breach, your company and protected cloud assets must also remediate!


Figure 1 – Cloud Provider / IDaaS / CASB Use Cases w/SANS CIS v6 Controls

(Note that of 19 controls SANS sets forth, none directly account for the compromised credentials threat that account for over 50% of all data breaches!)


VeriClouds: Detection, Early Warning, Alerting & Remediation of Compromised Credentials


VeriClouds is the industry’s largest commercially available data repository of compromised accounts with patent pending password matching technology. VeriClouds CredVerifyTM is a credential verification service that helps organizations detect compromised credentials before any seismic events occur.

VeriClouds accomplishes this by gathering the same data attackers have at their disposal through proactive monitoring of the Dark Web, updating intelligence around compromised credentials, and providing that information to companies and cloud providers through an easy to use industry-standard interface. This allows companies and providers to detect, warn and remediate risk associated with compromised credentials.

Without this intelligence, very few organizations including cloud providers can distinguish genuine users from sophisticated attackers and mitigate golden access based on undetectable authentication via compromised credentials.


Cloud Assets Too Valuable To Ignore Recent Cybersecurity Earthquakes

Cloud assets are simply too valuable and recent cybersecurity precursor events too seismic to be simply ignored. Recent breach activity since January 2017 alone indicates the ground swell is significant and growing. And reports such as the Thycotic report help confirm the tsunami these billions of stolen credentials represent.

CSPs, IDaaS and CASB providers therefore must shore up their capabilities around compromised credentials to adequately protect their customer’s vital cloud assets and line up to new NIST guidelines recently issued.

On the other side, cloud customers choose cloud offerings specifically for increased security capabilities. Cloud customers must demand capabilities that directly address compromised accounts from their providers to adequately protect against seismic-like attacks already landing on company beaches in the cloud.

About the author

Stan Bounev is the founder of VeriClouds and AppBugs; previously PM at Microsoft. Currently focused on adding more context to authentication and protecting against account takeover attacks.

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to