- February 12, 2024: Corrected Grading and Finding Behavior sections.
- August 17, 2023: New Grading & Finding Behavior sections.
- May 18, 2020: Updated risk vector description.
The Exposed Credentials risk vector looks at verified breaches to indicate if the employees of a company had their information publicly disclosed and posted online as a result of a successful cyber attack on their company’s third parties. Use this risk vector to identify breached sites and the types of information that were exposed (disclosed fields).
Exposure can be damaging to a company’s systems and reputation. Attackers may gain access to user accounts by reusing credentials from a breach at an unrelated company and trying them on an organization’s web login page. If an employee reuses their company username and password on a non-company website and those credentials are disclosed (and the passwords are visible or guessed correctly), an attacker could potentially gain access to that employee’s corporate account.
This is an informational risk vector and does not affect security ratings.
(Out of 2.5% in User Behavior)
Review Exposed Credential findings.
- Use Exposed Credentials as an opportunity to educate other teams and to create or re-evaluate policies on information reuse, especially requirements concerning password reuse and complexity.
- Consider using 2-factor authentication as part of your organization’s user account security strategy.
User-Requested: User-requested refresh not available.