Compromised Account Attacks

TL;DR

Previously compromised accounts are often reused attack vectors. This guide explains how attackers use them and what you can do to protect yourself, covering password hygiene, multi-factor authentication (MFA), monitoring for suspicious activity, and incident response.

Understanding the Threat

Attackers don’t always need new hacks. They frequently target lists of usernames and passwords leaked from data breaches. If someone reuses a password across multiple sites, gaining access to one account can unlock many others. This is why compromised accounts are so valuable.

How Attackers Use Compromised Accounts

1. Credential Stuffing: Automatically trying stolen usernames and passwords on various websites.
2. Password Spraying: Trying a few common passwords against many different accounts.
3. Account Takeover (ATO): Gaining full control of an account to steal data, make fraudulent purchases, or spread malware.
4. Lateral Movement: Using the compromised account as a stepping stone to access other systems within an organisation.

Protecting Yourself and Your Organisation

1. Password Hygiene (For Individuals & Employees)
   • Unique Passwords: Use a different, strong password for each account. A password manager is highly recommended.
   • Strong Passwords: Aim for at least 12 characters with a mix of uppercase and lowercase letters, numbers, and symbols.
   • Avoid Common Phrases: Don’t use easily guessable words or personal information.
2. Multi-Factor Authentication (MFA) – Critical!

   Enable MFA on every account that supports it. This adds an extra layer of security, even if your password is stolen.

   • Authenticator Apps: Google Authenticator, Authy, Microsoft Authenticator are good choices.
   • Security Keys: YubiKey or similar hardware keys offer the highest level of protection.
   • SMS-Based MFA (Less Secure): While better than nothing, SMS is vulnerable to SIM swapping attacks.
3. Account Monitoring
   • Regularly Review Account Activity: Check for unusual logins or changes to your account settings.
   • Security Alerts: Enable email and/or SMS alerts for suspicious activity (e.g., new login from an unknown location).
   • Breach Monitoring Services: Use services like Have I Been Pwned? to check if your accounts have been involved in data breaches.
4. Incident Response (For Organisations)
   1. Detection: Implement systems to detect suspicious login attempts and account activity.
      • SIEM Tools: Security Information and Event Management (SIEM) systems can aggregate logs from various sources.
      • Anomaly Detection: Identify unusual patterns of behaviour that may indicate a compromised account.
   2. Containment: Immediately disable or lock the compromised account.

      # Example command to disable an account in Linux (replace 'username' with the actual username)

      sudo usermod -L username

   3. Investigation: Determine the scope of the compromise and identify any data that may have been accessed.
      • Log Analysis: Review logs to understand what the attacker did while they had access.
      • Forensic Investigation: If necessary, conduct a more thorough forensic investigation.
   4. Recovery: Reset passwords for all affected accounts and implement additional security measures.
      • Password Reset Policy: Enforce strong password reset policies.
      • MFA Enforcement: Mandate MFA for all users.
5. Employee Training (For Organisations)
   • Phishing Awareness: Educate employees about phishing attacks and how to identify them.
   • Password Security Best Practices: Train employees on the importance of strong passwords and MFA.
   • Reporting Suspicious Activity: Encourage employees to report any suspicious activity immediately.