> For the complete documentation index, see [llms.txt](https://docs.oort.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/leaked-user-credentials-detected.md). # Leaked User Credentials Detected Detects users with exposed credentials that appear in known data breach databases or dark web credential markets, as reported directly by the connected identity providers. This can indicate that either a user's own credentials may be compromised or that they are using common credentials, such as 'password', which are often found on exposed credential lists. Compromised credentials enable unauthorized access through credential stuffing, where attackers use a valid stolen password to gain access to users' personal and corporate accounts and applications without triggering typical security controls. #### **Recommended Actions** Revoke all active sessions for the affected user and force an immediate password reset through the identity provider to ensure the compromised credential can no longer be used. Educate the user on the risks of reusing similar passwords across business and personal services. Review recent login history and account activity for signs of unauthorized access, especially around sensitive apps, customer records, finance systems, or support tools, that may have occurred before the alert was generated so any misuse tied to the exposed credential is contained quickly. Pay particular attention for events from unfamiliar geographic locations, or unrecognized devices. Require complex, unique passwords and strong multi-factor authentication methods to protect accounts even if future credentials are compromised. Ensure your organization is leveraging any functionality available within its Identity Provider(s) to block users from creating accounts using compromised credentials and automatically logs out and forces password resets upon detection of breached credentials. #### **Compatibility** [Microsoft Entra ID](/integrations/azure-active-directory-integration.md) [Okta](/integrations/okta-data-integration.md) [Duo](/integrations/duo-security-integration.md) #### **Use Cases** * An employee reuses their corporate password on a personal website that later suffers a breach, and the identity provider matched that exposed password to the employee's business account. * Credential-stealing malware on a personal device captures corporate login credentials that later appear listed for sale on a dark web marketplace, triggering the identity provider's risk detection for the associated account. #### **Real-World Incidents** **Snowflake Customer Breaches — May 2024**\ Infostealer-harvested credentials were used to access over 160 companies' Snowflake environments with no MFA in place. Victims included AT\&T, Ticketmaster, and Santander, with hundreds of millions of records stolen and significant ransom demands made.\ [BleepingComputer, May 2024](https://www.bleepingcomputer.com/news/security/snowflake-warns-customers-that-hackers-are-targeting-their-accounts/) **Change Healthcare — February 2024**\ Stolen Citrix portal credentials with no MFA enabled allowed ALPHV/BlackCat ransomware operators to access Change Healthcare's systems undetected for 9 days, ultimately exposing the health records of approximately 190 million Americans.\ [BleepingComputer, Apr 2024](https://www.bleepingcomputer.com/news/security/change-healthcare-breach-hits-190-million-americans/) **ADT Breach via Stolen Credentials — October 2024**\ Attackers accessed ADT systems using stolen credentials from a third-party business partner, demonstrating how credential exposure at one organization can cascade into breaches at connected parties.\ [BleepingComputer, Oct 2024](https://www.bleepingcomputer.com/news/security/adt-discloses-second-breach-in-2-months-data-stolen-from-third-party/) #### --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/leaked-user-credentials-detected.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.