Home/Glossary/Credential Compromise

Credential Compromise

A security incident where authentication credentials (passwords, API keys, tokens) are stolen, exposed, or otherwise obtained by unauthorized parties.

Incident ResponseAlso called: "stolen credentials", "compromised passwords", "credential theft"

Credential compromise is the most common initial access vector in cloud breaches, enabling attackers to impersonate legitimate users.

Common causes

  • Phishing: Users tricked into revealing credentials.
  • Credential stuffing: Reused passwords from other breaches.
  • Secrets in code: API keys committed to repositories.
  • Malware: Keyloggers and info-stealers.
  • Insider threat: Malicious or negligent employees.

Indicators of compromise

  • Logins from unusual locations or IP addresses.
  • API calls at unusual times or volumes.
  • Access to resources outside normal patterns.
  • Multiple failed authentication attempts.
  • New access keys or service accounts created.

Immediate response

  1. Disable or rotate compromised credentials.
  2. Revoke active sessions for affected accounts.
  3. Review audit logs for unauthorized activity.
  4. Check for persistence mechanisms (new users, keys, roles).
  5. Assess scope of data access or exfiltration.

Prevention measures

  • Enforce MFA on all accounts, especially privileged.
  • Use short-lived credentials and automatic rotation.
  • Implement secrets management solutions.
  • Monitor for leaked credentials in public repositories.
  • Deploy phishing-resistant authentication (FIDO2).

Related Tools

Related Articles

View all articles
Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud penetration testing requires different approaches than traditional network testing. Learn cloud provider policies, testing methodologies, and common findings across AWS, Azure, and GCP environments.

Read article →
GitHub Actions Security: OIDC, Secrets, Permissions, and Supply Chain Protection

GitHub Actions Security: OIDC, Secrets, Permissions, and Supply Chain Protection

Secure GitHub Actions workflows with OIDC authentication, minimal permissions, pinned actions, secret protection, fork security, and supply chain hardening best practices.

Read article →
Cloud Incident Response: A Step-by-Step Guide for AWS, Azure, and GCP

Cloud Incident Response: A Step-by-Step Guide for AWS, Azure, and GCP

Learn how to respond to cloud security incidents effectively. This guide covers preparation, detection, containment, and recovery.

Read article →
CI/CD Pipeline Security Workflow | DevSecOps Best Practices

CI/CD Pipeline Security Workflow | DevSecOps Best Practices

Master the complete CI/CD pipeline security workflow from secrets management to SLSA framework implementation. Implement SAST, DAST, SCA, artifact signing, and policy enforcement to secure your software supply chain.

Read article →

Explore More Incident Response

View all terms

Cryptomining Attack

An attack where adversaries use compromised cloud resources to mine cryptocurrency, resulting in significant compute costs for the victim.

Read more →
Back to glossary