← All glossary terms
Identity Security7 min read

What is Credential Theft?

Credential theft is the act of stealing usernames, passwords, hashes, tokens, certificates, or session cookies to impersonate a legitimate identity. Learn the techniques, real examples, and defenses.

What is Credential Theft?

Definition

Credential theft is the act of stealing the secrets used to prove identity — passwords, hashes, Kerberos tickets, OAuth and SAML tokens, session cookies, API keys, certificates, or cloud access keys — in order to impersonate a legitimate identity.

It is the foundation of the TA0006 Credential Access tactic in MITRE ATT&CK and a precursor to most identity-based attacks.

In simple terms:

Credential theft is how attackers stop being attackers and start being users.


Why Credential Theft Matters

The Verizon DBIR has identified the use of stolen credentials as one of the most frequent initial access vectors for years. Credential theft directly enables:

  • Initial access to corporate systems
  • Lateral movement
  • Privilege escalation
  • Data exfiltration
  • Ransomware deployment
  • Persistence (long-lived tokens, certificates, federation backdoors)

Once stolen credentials are in use, attackers blend with legitimate activity and bypass network controls and many endpoint protections.


What Counts as a "Credential"?

A credential is any secret a system trusts to identify a user or workload:

  • Passwords and PINs
  • Password hashes (NTLM, LM, Entra ID-derived)
  • Kerberos tickets (TGT, service tickets)
  • OAuth / OIDC access and refresh tokens
  • SAML assertions
  • Session cookies
  • API keys and access keys
  • SSH keys
  • Certificates (client, machine, code-signing)
  • Cloud STS / temporary credentials
  • Recovery codes and backup codes

Every one of these can be stolen — and every one is a target.


Major Credential Theft Techniques

1. Phishing

The single most common technique. Attackers trick users into entering credentials on a fake login page, often combined with adversary-in-the-middle (AiTM) frameworks (e.g., Evilginx, EvilProxy) to capture session cookies and bypass MFA.

2. Infostealer Malware

Lightweight malware harvests:

  • Browser-stored passwords
  • Browser cookies (live sessions)
  • Cloud CLI configs (~/.aws/credentials, ~/.kube/config)
  • SSH keys
  • Crypto wallets

Stealer logs are sold on dark markets. Many breaches in 2023–2025 (Snowflake customers, others) trace back to infostealer logs.

3. Credential Dumping (OS Memory)

Tools like Mimikatz dump credentials directly from memory (LSASS, SAM, NTDS.dit, lsass.exe). Often used after initial endpoint compromise.

4. Credential Stuffing

Reusing leaked credentials from one service against many others, betting on password reuse.

5. Password Spraying

Trying a small number of common passwords against many accounts to avoid lockouts. Microsoft Midnight Blizzard (2024) used this against a legacy account without MFA.

6. Brute Force

Trying many passwords against one account. Mostly useful where rate limits and lockouts are weak.

7. Network Capture

  • NTLM relay attacks (e.g., PetitPotam, NTLM relay to AD CS).
  • Kerberos ticket capture.
  • Sniffing weakly protected protocols.

8. Shoulder Surfing / Physical

Photos of sticky notes, screen captures, dumpster diving for printed passwords, and keyloggers in shared devices.

9. Cloud Metadata and SDK Abuse

Stealing temporary credentials from instance metadata services (IMDS) or workload identity tokens via SSRF or compromised workloads.

  • Browser cookie theft (post-AiTM phishing).
  • OAuth refresh token theft.
  • Cloud session token theft (e.g., AWS STS).
  • Federation token forgery (Golden SAML).

11. Help Desk Social Engineering

Tricking help desk into resetting passwords or MFA — devastatingly effective when help desk verification is weak (MGM 2023).

12. Code and Config Leaks

  • Hardcoded API keys in source repos (GitHub, GitLab).
  • Secrets in container images, Helm charts, CI logs.
  • Old backups and snapshots containing credentials.

Real-World Examples

Example 1: AiTM Phishing for Microsoft 365

A user clicks a phishing link that proxies to the real Microsoft login. They authenticate, complete MFA, and the attacker captures the session cookie — bypassing MFA entirely. The attacker uses the cookie to access mail and OneDrive.

Example 2: Snowflake Customer Compromises (2024)

Attackers used credentials harvested by infostealers from non-corporate machines to access Snowflake tenants that had not enforced MFA. Massive customer datasets were exfiltrated.

Example 3: Password Spray Against Legacy

Microsoft Midnight Blizzard (APT29) used password spraying against a legacy non-production account without MFA to gain initial access, then escalated through OAuth permissions to executive mailboxes.

Example 4: Kerberoasting

An attacker with any domain user requests service tickets for accounts with SPNs, then cracks the tickets offline to recover service account passwords.

Example 5: AWS Access Key in a Public Repo

A developer accidentally commits an AKIA... key with administrative privileges to a public GitHub repo. Within minutes, automated bots find and use it for crypto-mining or data exfiltration.

Example 6: LSASS Dumping After Initial Access

After getting code execution on a workstation, the attacker dumps LSASS, recovers cached domain credentials, and uses them to lateral-move via SMB and WMI.


Why Credential Theft Succeeds

  • Passwords are everywhere and frequently reused.
  • MFA is unevenly enforced, especially for legacy and service accounts.
  • Sessions and tokens are often long-lived and weakly protected.
  • Static API keys persist for years.
  • Help desk procedures are inconsistent.
  • Workload identities (cloud, Kubernetes) are often handled insecurely.

Defenses Against Credential Theft

1. Phishing-Resistant MFA

FIDO2 / passkeys eliminate the value of stolen passwords for most accounts. CISA's "More Than a Password" highlights this as the top control.

2. Eliminate Passwords Where Possible

Move to passkeys, certificate-based auth, and workload identity federation.

3. Token Hardening

  • Short-lived sessions, especially for sensitive apps.
  • Token binding to device where supported.
  • Continuous Access Evaluation (CAEP) for fast revocation.
  • Conditional access policies that re-evaluate context.

4. Block Legacy Authentication

Disable POP3, IMAP, basic auth, NTLMv1, and other protocols that bypass MFA.

5. Endpoint Hardening

  • EDR with credential dumping detections.
  • Credential Guard, Remote Credential Guard.
  • Hardened LSA, RestrictedAdmin mode for RDP.
  • Application allowlisting where feasible.

6. Vault Secrets

  • PAM for human privileged credentials.
  • Secrets management for application credentials.
  • Never store credentials in code, configs, or wikis.

7. Use Short-Lived, Dynamic Credentials

  • AWS STS, GCP Workload Identity, Azure Managed Identity, OIDC federation in CI/CD.
  • No more long-lived AKIA* keys in pipelines.

8. Detect Credential Abuse

  • Impossible travel
  • Unusual sign-in geos / ASNs
  • MFA fatigue patterns
  • Token replay from new device
  • Kerberoasting and DCSync detections
  • OAuth consent anomalies

9. Strong Help Desk Verification

  • Multi-step identity proofing.
  • Callback procedures.
  • Manager involvement for sensitive resets.
  • Dedicated workflows for privileged users.

10. Continuous Secret Scanning

  • Pre-commit hooks
  • Repo and registry scanning
  • Cloud audit log monitoring for new keys
  • Rotation on personnel changes

Credential Theft Defense Checklist

  • Is phishing-resistant MFA enforced everywhere, including legacy and break-glass?
  • Are passwords being phased out for high-value identities?
  • Are sessions short-lived and continuously re-evaluated?
  • Are legacy auth protocols disabled?
  • Is EDR catching credential dumping?
  • Are all human privileged credentials vaulted and brokered (PAM)?
  • Are NHIs using short-lived dynamic credentials?
  • Are secret scanners running across code, registries, and configs?
  • Are help desk identity-proofing procedures strong?
  • Are credential-abuse detections live in SIEM?
  • Are Kerberoasting / DCSync / token replay detections enabled?

How Forestall Helps

Defending credentials is necessary but not sufficient — you also need to know what each credential unlocks. Forestall maps the blast radius of every identity:

  • Which assets a stolen credential could reach (directly and via paths).
  • Which identities have weak authentication relative to their reach.
  • Which service accounts and AI agents represent the highest-value targets.
  • Which paths to fix to shrink the impact of inevitable credential theft.

This complements credential-protection tools by focusing remediation effort where stolen credentials would do the most damage.


Frequently Asked Questions

Does MFA fully prevent credential theft?

It dramatically reduces password-only abuse. AiTM phishing, token theft, and consent abuse can still succeed without phishing-resistant MFA and token hardening.

Are passwords going away?

Slowly. Passkeys and FIDO2 are gaining ground; passwords will persist for years in legacy and back-office systems.

What's the most overlooked credential type?

Workload and service-account credentials — long-lived API keys and service-account passwords are often the highest-impact targets and the least protected.

How can I tell if my credentials have been stolen?

Use breach notification services, dark web monitoring, infostealer log monitoring, and continuous detection on identity logs.

Should I rotate all credentials regularly?

For long-lived secrets, yes. The bigger win is moving to short-lived dynamic credentials so rotation happens automatically and quickly.


Conclusion

Credential theft is the gateway technique for almost every modern identity attack. The best defense is a combination of phishing-resistant MFA, short-lived credentials, hardened sessions, vaulted privileged secrets, strong help desk procedures, and continuous detection. But equally important is reducing the value of any single stolen credential — through least privilege, JIT, attack path reduction, and tight scoping for service accounts and AI agents.

Assume credentials will be stolen. Then make sure that when they are, they don't unlock much.

Credential TheftPhishingInfostealerToken TheftMFA

See where stolen credentials could take attackers next.

Forestall maps the impact of every identity — so you know which credentials matter most and what they unlock.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is Credential Theft? Techniques and Defenses | Forestall