- August 17, 2023: New Grading & Finding Behavior sections.
- May 18, 2020: Updated risk vector description.
The Exposed Credentials risk vector looks at verified breaches to indicate if the employees of a company had their information publicly disclosed and posted online as a result of a successful cyber attack on their company’s third parties. Use this risk vector to identify breached sites and the types of information that were exposed (disclosed fields).
See data collection methods or the criteria for classifying findings as Exposed Credentials.
Risks
Exposure can be damaging to a company’s systems and reputation. Attackers may gain access to user accounts by reusing credentials from a breach at an unrelated company and trying them on an organization’s web login page. If an employee reuses their company username and password on a non-company website and those credentials are disclosed (and the passwords are visible or guessed correctly), an attacker could potentially gain access to that employee’s corporate account.
Grading
This is an informational risk vector and does not affect security ratings.
| Concept | Behavior |
|---|---|
| Lifetime | 60 Days |
| No Findings |
The rating is positively impacted if there are no Exposed Credential findings. |
|
(Out of 2.5% in User Behavior) |
Not applicable. |
Remediation
Review Exposed Credential findings.
- Use Exposed Credentials as an opportunity to educate other teams and to create or re-evaluate policies on information reuse, especially requirements concerning password reuse and complexity.
- Consider using 2-factor authentication as part of your organization’s user account security strategy.
Finding Behavior
| Concept | Behavior |
|---|---|
| Refresh |
Automated: Daily User-Requested: User-requested refresh not available. |
| Remediated | If a new app version is available, the new version replaces the previous one. |