Connect with us

Infosecurity

How Credential Reuse Unlocks the Digital Front Door for Hackers

Published

on

How Credential Reuse Unlocks the Digital Front Door for Hackers

Effective account takeover prevention remains one of the most critical yet elusive goals in cybersecurity. When attackers seize control of a user’s account, the consequences cascade rapidly: lost access, stolen data, and fraudulent transactions become almost inevitable. This raises a pressing question—why do these attacks succeed so often, even against fortified platforms?

Building on this, a major incident involving Alibaba Group‘s Taobao marketplace provides a stark illustration. Attackers, armed with a database of 99 million usernames and passwords from unrelated sites, found that a significant portion matched active Taobao accounts. This breach of over 20 million accounts wasn’t a direct assault on Taobao’s defenses; it was an exploit of a universal human weakness.

The Domino Effect of a Single Password

Therefore, the core vulnerability isn’t always a flaw in code. It’s a flaw in habit. Users create credentials for a secure application, then recycle that same password for a second, potentially vulnerable site. Once hackers breach the weaker site, they obtain a master key that also opens the door to the stronger one. Consequently, even the most robust authentication mechanisms—multi-factor included—are rendered useless if the secret is already in enemy hands.

In addition, this creates an impossible dilemma for defenders. The secure application has no visibility or control over how its users’ credentials are used elsewhere on the internet. The responsibility to protect data remains, but the attack vector originates far outside its security perimeter.

Seeing the Bigger Picture with Cloud Intelligence

So, what’s the solution? A single login attempt on a single application, even with stolen credentials, looks identical to a legitimate user making a typo. Blocking it based on that isolated data is risky and prone to false positives. However, the perspective changes dramatically at scale.

By contrast, inspecting the success and failure patterns of the same credentials as they are tested across hundreds of web applications—a view possible through cloud security intelligence—reveals the attacker’s footprint. This macro view can identify the source of the attack, the techniques being used, and the specific applications being targeted.

From Insight to Action

This intelligence transforms defense from reactive to proactive. Security teams can move beyond just blocking a single suspicious login. They can identify that a specific set of credentials is actively being peddled in attack campaigns and preemptively lock or flag those accounts across their entire ecosystem. This shifts the advantage back to the defender.

For instance, learning more about web application firewall strategies can complement this approach.

Closing the Security Loop: Education and Innovation

Ultimately, technical solutions must be paired with human ones. Security education is non-negotiable. Users must understand that a password used on a forum is a threat to their online banking. Encouraging password managers and unique passwords for every site is a foundational step in true account takeover prevention.

Simultaneously, standard defenses like strict password requirements, CAPTCHA systems, and login rate limiting remain essential. They raise the baseline cost of an attack. Yet, as the Taobao case shows, they are not a silver bullet against credential stuffing.

This means that the industry must also cultivate innovative solutions that operate in the “wilderness” of the broader internet—the space between applications where credential theft and testing occur. Finding and neutralizing threats in this landscape is the next frontier. It’s a challenging endeavor, but it may be the unavoidable step required to stay ahead of persistent threat actors. Exploring advanced cloud security solutions is key to this evolution.

In the end, account security is a shared responsibility. Platforms must build smarter, more interconnected defenses, while users must break the dangerous habit of credential reuse. Only then can the digital front door be truly locked.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

Compromised Logins Surge as the Most Common Entry Point for Ransomware Attacks

Published

on

compromised logins ransomware

Stolen Credentials Now Drive the Majority of Ransomware Incidents

Cybercriminals have shifted tactics. A new analysis from Sophos shows that compromised logins are now the primary way ransomware gets inside a network. The report, based on real-world incidents, found that 79% of ransomware attacks trace back to an initial intrusion that exploited legitimate user credentials or abused identity systems.

That’s a major jump. It means the front door — a stolen password or a phished login — is now far more dangerous than a software bug.

“Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector,” said Ross McKerchar, CISO at Sophos, in a statement to Infosecurity. He pointed to advances in social engineering, including AI-polished phishing emails and sophisticated ClickFix campaigns designed to trick even trained users into bypassing multi-factor authentication (MFA).

How Attackers Get In: Phishing, Brute Force, and Old Vulnerabilities

The report breaks down the initial entry points. Malicious emails accounted for 26% of ransomware incidents, up from 19% in 2025. Phishing attacks — often used to steal credentials — were the root cause in 24% of cases, rising from 18% the previous year.

Brute force attacks came in third at 23%, a slight dip from 22% in 2025. That method relies on automation to guess weak or common passwords.

What’s falling out of favor? Exploiting known security vulnerabilities. That approach dropped from 32% in 2025 to just 18% in 2026. Attackers are choosing the path of least resistance — and that path leads straight to human error and weak identity controls.

Where Stolen Logins Are Used: VPNs, Firewalls, and IoT Devices

Once attackers have a valid login, they don’t stop at one system. The report details how exploited identities are used to move laterally. In 38% of cases, attackers accessed exposed applications or systems. Remote device logins accounted for 30%, firewalls for 21%, and exposed VPNs for 8%. Even IoT devices served as an initial point of entry in 3% of incidents.

That breadth of access points means a single compromised password can open multiple doors. No wonder identity-based attacks are surging.

Why Organizations Are Still Getting Caught Off Guard

Sophos surveyed 2,158 cybersecurity leaders. Their answers reveal persistent gaps. 62% cited security gaps in the network — both known and unknown — as a reason attacks went undetected. Over half (58%) said their organization was held back by a lack of people or expertise. And 57% felt they hadn’t implemented the right level of cybersecurity protections.

The message is clear: tools alone aren’t enough. Teams need the right skills and the right configurations to make identity-based defenses work.

Ransom Payments: Smaller Demands, But More Victims Paying

The report also tracks ransom demands. The median demand has fallen to $698,000, down from $2 million just two years ago. But that doesn’t mean attackers are getting softer. They’re tailoring demands to each victim. Smaller organizations get smaller asks. If the ransom seems “reasonable,” victims are more likely to pay — especially if they fear downtime will cost more than the ransom itself.

Among organizations that had data encrypted, 48% paid the ransom. Meanwhile, 66% used their own backups to restore some data, up from 54% in 2025. That’s progress, but it’s not a silver bullet.

How to Defend Against Identity-Based Ransomware Attacks

The Sophos report offers clear guidance: treat identity as a foundational security layer, not an afterthought. “Organizations should prioritize identity threat detection and response (ITDR), enforce multi-factor authentication across all access points, and regularly audit both human and non-human identity credentials,” the report recommends.

That means ransomware protection strategies must start with identity hygiene. Enforce MFA everywhere. Monitor for unusual login patterns. Audit credentials regularly. And don’t forget non-human identities — service accounts and API keys are often overlooked.

For readers looking to strengthen their defenses, a good place to start is understanding common phishing attack techniques and how to spot them. Training alone won’t stop every attack, but combined with strong identity controls, it raises the bar.

The bottom line? Attackers are going where the defenses are weakest — straight at the login screen. Organizations that lock that door first will have the best chance of keeping ransomware out.

Continue Reading

Infosecurity

Five Charged in UK Crackdown on ‘Russian Coms’ Fraud Platform Behind 1.3 Million Scam Calls

Published

on

Russian Coms fraud

Five Londoners Charged in ‘Russian Coms’ Vishing Probe

British police have charged five people from London in connection with a notorious fraud platform that enabled millions of scam calls. The suspects are accused of running and promoting National Crime Agency described as a cybercrime-as-a-service operation that tricked victims into handing over cash and personal data.

The charges include conspiracy to supply articles for fraud, money laundering, and failing to provide phone passcodes when ordered. All five are due to appear at Westminster Magistrates’ Court on August 14, 2026.

What Was Russian Coms?

Launched in 2020, Russian Coms started as a physical handset before evolving into a web-based app. Criminals used it to spoof caller IDs — making it look like they were dialing from banks, telecoms firms, or even law enforcement agencies.

“They allowed criminals to hide their identity by appearing to call from pre-selected numbers,” the NCA said in a statement. The goal was simple: convince victims their accounts were compromised and persuade them to transfer money to a “safe” account controlled by the scammers.

By the time the platform was shut down in 2024, it was linked to over 1.3 million scam calls targeting half a million UK phone numbers — plus many more overseas.

Who Are the Accused?

The five individuals charged are:

  • Ayoub Sehailia, 28
  • Zakkaria Sehailia, 30
  • Usman Din, 30
  • Denis Ozmus, 29
  • Fadila Salem, 53

All are from different parts of London. Their court date is set for August 2026, more than two years away — a sign of the complexity of the case.

A Cybercrime-as-a-Service Empire

Russian Coms was marketed aggressively on Snapchat, Instagram, and Telegram. The package sold to fraudsters included “unlimited minutes,” “hold music,” encrypted calls, voice-changing tools, and 24/7 support.

The handset version came preloaded with VPN apps to hide the user’s IP address and a burner app that wiped the phone clean at the touch of a button. A six-month contract cost between £1,200 ($1,600) and £1,400 ($1,870), depending on delivery method.

Victims lost tens of millions of pounds, the NCA estimates. Fraud now accounts for 41% of all crime in the UK, with over two-thirds of it cyber-enabled.

Broader Crackdown on Fraud Gaining Ground

This case is part of a wider push by UK authorities. In January 2025, three men were sentenced at Snaresbrook Crown Court for running OTP.Agency, a site that helped fraudsters bypass multi-factor authentication (MFA) to hijack bank and telecom accounts.

More recently, Operation Henhouse 5 led to more than 500 arrests, freezing orders against £9 million ($12 million), and seizures of cash and assets worth £18.1 million ($24.3 million).

Still, the scale of the problem is daunting. The NCA says fraudsters are constantly adapting, using platforms like Russian Coms to stay one step ahead. The charges announced today are a reminder that law enforcement is catching up — but the fight is far from over.

Continue Reading

Infosecurity

UK cyber pledge draws only a handful of top firms despite ministerial appeal

Published

on

UK Cyber Resilience Pledge

Only a handful of FTSE 350 giants signed up

Fewer than 15 of Britain’s 350 largest listed companies put their names to the government’s flagship voluntary cybersecurity scheme at its launch on Tuesday. That’s despite ministers writing personal letters eight months ago to the chair and chief executive of every single FTSE 350 firm, urging them to join.

The UK Cyber Resilience Pledge was unveiled at a 10 Downing Street reception hosted by Technology Secretary Liz Kendall. In total, 70 founding signatories were named. But 20 of those are strategic government suppliers — companies that deliver critical services to the state and were invited to sign via a separate Government Cyber Charter. Strip them out, and the launch included just 50 truly voluntary signatories from across the wider economy.

Among the big names that did sign: Aviva, the London Stock Exchange Group, and Marks & Spencer — the latter lost hundreds of millions of pounds in a cyberattack last year. The rest of the list is heavy on small cybersecurity consultancies like C3IA Solutions, Grey Zone Services and Nexor, for whom the pledge aligns neatly with their own commercial offerings.

What the pledge actually asks

The pledge is light-touch by design. It asks signatories to do three things:

  • Make cybersecurity a board-level responsibility
  • Register for the NCSC’s free Early Warning service
  • Take a risk-based approach to requiring Cyber Essentials certification across their supply chains

All of it is voluntary. There is no enforcement mechanism. The Department for Science, Innovation and Technology did not respond to questions about whether signing carries procurement consequences for strategic suppliers, nor whether it regarded the FTSE 350 turnout as a strong response to the ministerial letter.

Why so few? Experts weigh in

Jamie MacColl, a senior research fellow at the Royal United Services Institute, said the number of signatories struck him as low.

“I would be relatively surprised if most FTSE 350 companies were not meeting an equivalent standard. Why would they go through Cyber Essentials when in many cases they will have a certification that has many more controls in it?”

MacColl sees a familiar pattern. “I think the pattern with UK cyber policy is often a consultation, research, code of practice or conduct, some sort of voluntary pledge, and then regulation. This could be repeating that pattern.”

He added: “You could see this as a step in the process whereby they end up regulating. You’ve almost given the private sector enough rope to hang itself with. If not enough organizations or vendors sign up to this stuff, that gives the government the cause to say regulation is necessary.”

Timing and context

Tuesday’s launch had been planned to follow the unveiling of Britain’s new National Cyber Action Plan on Monday. That was delayed due to Prime Minister Keir Starmer’s resignation.

The launch comes amid wider scrutiny of the government’s appetite to compel industry to act on cybersecurity. It follows the NCSC complaining about organizations failing to follow its guidance and advice.

The government says it will keep reviewing the pledge. In its own words: “Given that the threat landscape is evolving and new complex cyber threats may emerge, government will continue to review the suitability of the pledge, with the potential of refining the actions at the end of a 12-month cycle.”

The cost of inaction

According to the government, “the average cost of a significant cyberattack on an individual UK business now stands at almost £195,000 ($260,000), with the annual cost to organizations estimated at £14.7 billion ($19.7 billion), excluding wider disruption across the economy.”

That £14.7 billion figure comes from research supporting a separate measure — the Cyber Security and Resilience Bill — which is still being debated in Parliament and is not expected to be enforced until 2028.

So for now, the message to Britain’s biggest companies is: you’re asked nicely. Whether that changes depends on how many more decide to sign up over the next 12 months.

Continue Reading

Trending