BLUF: When breach data leaks into the public domain, it never leaves. You must address those accounts, passwords, or tokens wherever they are used in your environment. Replace breached passwords or tokens immediately. Increase monitoring on accounts that have suffered breaches in the past. If you still see failed logins, change the user’s email address. And always enforce MFA.
Email address in a data breach
Millions of passwords have been leaked, open to the public. That's in addition to the passwords or credentials for sale on darkweb sites. Those free keys are available for attackers who will try to login across your applications and conduct a more damaging attack. Change credentials regularly and especially when you suspect they have been leaked or reused. Some of those can be your company’s own leaked credentials.
Search through publicly available breach data for information related to your domain. Pastebins and haveibeenpwned.com data are public resources. Even breaches that exist on the dark web marketplaces are tracked by major darkweb intelligence firms. Consult your Security Provider if leaked credentials have been a major vulnerability.
The leaked data can be a treasure trove of open source information for an attacker. Even if an email appears without the password, or a seemingly irreversible hash of a password, all these data points can be used to target organizations. The findings range from PII (full name, address, phone number), bank records, hashes, or more specifically email addresses with exposed or weak password combinations.
When is the last time you rotated all corporate passwords and credentials? If you do not know what has been leaked in the past, you cannot proactively changes these credentials to prevent an attack. Picture an attacker who finds leaked emails and passwords online. Since the email is "@" your domain, they will use that one credential to try all of your online services.
Many organizations use Single-Sign-On, and many people carelessly recycle passwords across applications. Some of those leaked credentials may still be valid for a given app if a user rotates between a few memorable passwords for their personal and work accounts. It is crucial to reset ALL passwords after any confirmed security event. To level-set across the company it is best-practice to perform password resets at a set interval and enforce long passphrases. A brute force attack that uses known password hashes against your web application is the perfect example of breached data leading to malicious access.
How to check and protect your credentials:
1. Haveibeenpwned.com and OSINT Toolbox lets you search a large dataset for corporate emails and credentials
2. Enforce MFA, always, and log failed access attempts
3. Set policies to not allow password re-use, reset them at least once a year, and force reset any time you detect a security event
4. If a username/password was compromised, a reset might not prevent brute force attempts. Consider changing the username