IronSights

Threats & attacks

Credential harvesting

The process of capturing login credentials — usernames and passwords — through phishing sites, malware, data breaches, or other means, typically for use in account takeover or sale on dark web markets.

Also known ascredential theftcredential compromisestolen credentials

In plain English

Credential harvesting is how attackers collect passwords at scale. Whether through a convincing fake login page, a keylogger installed via malware, or purchasing a dump from a previous data breach, attackers collect credentials and try them against corporate systems — often months or years after the original breach.

Full definition

Attackers collect credentials in a few ways. sites clone a login page, capture what the user types, and redirect them to the real service so nothing looks wrong. Keyloggers record every keystroke. Data dumps from past breaches get sold on dark web markets for a few hundred dollars and run against corporate login portals in automated campaigns. The original breach might have happened years ago at a completely unrelated service. The password gets reused, and that is the problem.

Credential stuffing is exactly this: taking a list of email and password pairs from one breach and testing them against other services at scale. An Australian business whose finance manager uses the same password for their banking login and their Microsoft 365 account is exposed to every breach that ever captured that password, regardless of where it came from.

stops most credential-based attacks outright. If an attacker has a valid username and password but cannot pass the second factor, they cannot log in. 's can also flag impossible-travel events, where a login appears from Sydney and then, three minutes later, from Eastern Europe. IronSights monitors for these signals as part of Fortify, and credentials found in known breach databases can be checked against your tenant using Microsoft's leaked credential detection.

Keep learning

More terms in the IronSights Glossary.