GUIDES
Playbooks

Respond to Leaked Credentials Events

5min

There are several ways to respond to credential leaks, where Flare discovers username and password pairs. The options available depend on how Flare integrates with your systems.

The key point is that before warning your users that their passwords have been leaked we recommend a few steps (and recommend those steps are automated for faster processing).

  1. Check if the leaked credentials follow your company's password policy, hence validating whether this is a password your employee/client could have used in your login portal
  2. Verify the date the breach happened. This is different from the date it was leaked and we sent to you. The breach date is the date the company data was stolen, and can sometimes date back many years. Passwords your employee/client might have been using 5 years ago is less critical than one they used this month.
  3. Check whether this is an email/password combination that has already been leaked (using a service such as Have I Been Pwned). Maybe you already warned this user and they aren't using this password anymore
  4. This step is optional but adds a lot of value; if the password is in clear text, use the hashing algorithm used in your accounts database to hash the passwords. Compare the hash you receive in output with the hashed password of this user in your system. A match means this password is compromised and you should trigger a password reset right away.
  5. If desired, inform the user by following the steps in the section below.

Remember that Flare is there to help you if you are interested in automating such actions. We have assisted multiple clients in setting up automations and would be happy to work with you to do it moving forward.

Informing Users

When leaked credentials are found for your employees, it is often important to let employees know. Here are some elements to keep in mind:

  1. Users may have already received notification if they are subscribed to a service such as Have I Been Pwned or Firefox Monitor.
  2. If you have a regular continuous process, you may already have alerted them for a similar or identical password.
  3. If the user is not generally aware of IT and cyber risks, they may not understand why or how you got access to their password. In these cases, Flare recommends disclosing only the first 3 characters of the password to the employee (providing "sum*******" instead of "summer1969") - the employee will recognize the password.

Types of credentials sources

There are a number of ways leaked credentials are shared and re-shared in the criminal underground. They are detailed here.

Related Articles