16 Billion credentials leaked — Could poor Risk Management strategies be at fault

16 Billion credentials leaked — Could poor Risk Management strategies be at fault

In mid-June, cybersecurity-focused news outlet Cybernews published a news article[1] that shook the cyberspace — The news article revealed approximately 16 billion sets of credentials had been exposed in a recent leak. It is not the size itself that caused the shock, it is the sources — It included data from Apple, Google, Facebook etc. These are companies that are bound by strict privacy laws. They would have multiple fail-safes in place to prevent a direct breach. And the research articles that came out in the aftermath confirm that these credential dumps weren’t the result of a direct breach at source, but were rather from end-user devices.

Before we dig in…

  • Before we dig in to the details of how this could have happened and what could have prevented, let’s have a summary of this “leak”
  • On 18th June, cybernews published an article that said “16 billion passwords exposed in record-breaking data breach”. Researchers there had discovered these records scattered across 30 different datasets. In discoveries of this magnitude, it would be hard to tell how many were overlapping data, but even if 90% of it was overlap, that still leaves 1.6 billion credential leaks.
  • The leaks were of the format URL, login details and password. This format hints at the possibility of infostealers: malicious software that steal sensitive information, being the source of the leak.
  • Also, researchers believe that it is highly unlikely that this was a breach at the source itself, due to the format in which the leaked data was found.

So, what could have caused it?

Non-compliant vendors are amongst the top reasons why breaches like this happen. They often are the weakest link in the chain. Modern enterprises are not monoliths like it used to be: From outsourced development teams to marketing firms, data processors to support vendors, third-party relationships are unavoidable. What’s significant is that they often, due to service obligations, often hold privileged access to internal systems.

Herein lies the risk: many of these vendors lack proper security posture. Whether due to cost, culture, or complexity, vendors may operate with:

  • Unmonitored endpoints
  • Weak or reused credentials
  • No endpoint detection or anti-malware tools
  • Poor credential hygiene (e.g., storing passwords in browsers) When vendor machines are infected by a malware like the RedLine Stealer, sensitive data from web browsers, applications, emailing and messaging apps, and cryptocurrency wallets gets exfiltrated into the attackers network.

Is this all just theory?

While it might look like a fictional hypothesis to some, these sophisticated attacks are far from theoretical; they are meticulously mapped within frameworks like MITRE ATT&CK.

  • T1199 — Exploitation of Trusted Relationships
  • T1555.003 — Credentials from Web Browsers
  • T1539 — Steal Web Session Cookie
  • T1005 — Data from Local System

These tactics bypass hardened perimeter defenses. Instead, they exploit lateral trust, hijacking access from partners and vendors with weak controls.

The Case for Operationalized Third-Party Risk Management (TPRM)

While risk assessments, vendor reviews and compliance conformance used to once-a-year activity in the past, it is no longer sufficient in this everything-is-connected world that we live in today. We need a robust TPRM system that is

  • Dynamic: Continuously updated with vendor risk intelligence. A robust TPRM system should do this at least once a month
  • Comprehensive: Covering not just contractual obligations but practical implementations. It’s not just about maintaining SLAs for performance or defective functionality. Vendor reviews should include factors like recent breaches and unscheduled downtime.
  • Integrated: Vulnerability assessment at the point-of-integration is the most crucial and often the missing link in assessing risks

CISOGenie’s 5-pointer for a strong TPRM

  • Dependency-based risk scoring: Vendors for your mission critical systems should be treated differently from vendors for “good-to-have” systems.
  • On-Need access: Zero-trust systems have been in place for a few years now. It is a great way to implement just-in-time access and session monitoring for vendor accounts
  • Credential Security Enforcement: Do not allow/permit shared credentials. Enforce MFA for all systems that support it. Use password managers
  • Enforce Endpoint Security: Attacks have become very sophisticated. Bare-bone Anti-virus isn’t sufficient anymore. Require EDR, patching, and hardened devices for all vendors accessing your systems
  • Breach Impact Containment: Establish communication channels to deal with vendor breaches. Implement the ability to instantly revoke and remove all existing sessions from any vendor of choice

In Closing

The 16 billion credential leak isn’t just a story of stolen data. It’s a harsh lesson in the risks posed by unchecked third-party access. Your vendors are an extension of your attack surface. If their endpoints are vulnerable, so is your enterprise.

It’s time to stop treating TPRM as a compliance checkbox — and start treating it as the cornerstone of your cybersecurity posture. Talk to us at https://www.cisogenie.com to know better about TPRM and how we enable our tenants stay compliant and reduce risks.

Edit 1: Cybernews article link: https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/

Table of Contents