Home/Glossary/Credential Compromise

Credential Compromise

A security incident where authentication credentials (passwords, API keys, tokens) are stolen, exposed, or otherwise obtained by unauthorized parties.

Incident ResponseAlso called: "stolen credentials", "compromised passwords", "credential theft"

Credential compromise is the most common initial access vector in cloud breaches, enabling attackers to impersonate legitimate users.

Common causes

  • Phishing: Users tricked into revealing credentials.
  • Credential stuffing: Reused passwords from other breaches.
  • Secrets in code: API keys committed to repositories.
  • Malware: Keyloggers and info-stealers.
  • Insider threat: Malicious or negligent employees.

Indicators of compromise

  • Logins from unusual locations or IP addresses.
  • API calls at unusual times or volumes.
  • Access to resources outside normal patterns.
  • Multiple failed authentication attempts.
  • New access keys or service accounts created.

Immediate response

  1. Disable or rotate compromised credentials.
  2. Revoke active sessions for affected accounts.
  3. Review audit logs for unauthorized activity.
  4. Check for persistence mechanisms (new users, keys, roles).
  5. Assess scope of data access or exfiltration.

Prevention measures

  • Enforce MFA on all accounts, especially privileged.
  • Use short-lived credentials and automatic rotation.
  • Implement secrets management solutions.
  • Monitor for leaked credentials in public repositories.
  • Deploy phishing-resistant authentication (FIDO2).

Related Tools

Related Articles

View all articles
SOC Alert Triage & Investigation Workflow | Complete Guide

SOC Alert Triage & Investigation Workflow | Complete Guide

Master the complete SOC alert triage lifecycle with this practical guide covering SIEM alert handling, context enrichment, threat intelligence correlation, MITRE ATT&CK mapping, and incident escalation. Learn industry frameworks from NIST, SANS, and real-world best practices to reduce MTTC by 90% and eliminate alert fatigue.

Read article →
Data Breach Response & Notification Workflow | GDPR & HIPAA

Data Breach Response & Notification Workflow | GDPR & HIPAA

Master the complete data breach response workflow from detection to recovery. This comprehensive guide covers GDPR 72-hour notification, HIPAA breach reporting, forensic investigation, regulatory compliance, and customer notification strategies with practical tools and legal frameworks.

Read article →
CI/CD Pipeline Security Workflow | DevSecOps Best Practices

CI/CD Pipeline Security Workflow | DevSecOps Best Practices

Master the complete CI/CD pipeline security workflow from secrets management to SLSA framework implementation. Implement SAST, DAST, SCA, artifact signing, and policy enforcement to secure your software supply chain.

Read article →
Kubernetes Security & Hardening Workflow | CIS Benchmark

Kubernetes Security & Hardening Workflow | CIS Benchmark

Master the complete Kubernetes security workflow from CIS benchmark assessment to runtime threat detection. Implement Pod Security Standards, RBAC, network policies, and NSA/CISA hardening guidance for production clusters.

Read article →

Explore More Incident Response

View all terms

Cryptomining Attack

An attack where adversaries use compromised cloud resources to mine cryptocurrency, resulting in significant compute costs for the victim.

Read more →
Back to glossary