Exposed Credentials Risk Vector

⇤ User Behavior Risk Category

The Exposed Credentials risk vector looks at verified breaches to indicate if the employees of a company had their information publicly disclosed and posted online as a result of a successful cyber attack on their company’s third parties. Use this risk vector to identify breached sites and the types of information that were exposed (disclosed fields).

See data collection methods or the criteria for classifying findings as Exposed Credentials.

Risks

Exposure can be damaging to a company’s systems and reputation. Attackers may gain access to user accounts by reusing credentials from a breach at an unrelated company and trying them on an organization’s web login page. If an employee reuses their company username and password on a non-company website and those credentials are disclosed (and the passwords are visible or guessed correctly), an attacker could potentially gain access to that employee’s corporate account.

Grading

This is an informational risk vector and does not affect security ratings.

Remediation

Review Exposed Credential findings.

• Use Exposed Credentials as an opportunity to educate other teams and to create or re-evaluate policies on information reuse, especially requirements concerning password reuse and complexity.
• Consider using 2-factor authentication as part of your organization’s user account security strategy.

Finding Behavior