What Is Credential Harvesting? 2024’s Must-Know Facts

What is Credential Harvesting?  Must-Know Facts

Bad actors are after your credentials. By using credential harvesting attacks, cybercriminals seek to capture user credentials en masse.

Login credentials are digital keys that we use to access our medical records, financial information, and social media accounts.

So, cybercriminals will naturally use credential harvesting techniques to attempt to steal our credentials and use them for nefarious purposes.

While anyone can have their user credentials stolen online, learning about this practice, how it works, and how to prevent attacks will equip you with the knowledge to prevent such attacks.

But first let’s understand exactly what credential harvesting is and how it’s different than other cyber attacks.

Are you ready? Let’s go.

What is Credential Harvesting?

Credential harvesting is when a cybercriminal attempts to steal credentials en masse. This is an important distinction between credential harvesting and other types of cyber attacks.

Credential harvesting attacks don’t generally target an individual but rather a database, a company, or a stockpile of credentials that can later be sold on the dark web, used to carry out another cyber security attack, or tp steal sensitive information and money.

Wherever credentials can be found in bulk, criminals will be looking to harvest them.

Credentials of value that criminals might look to steal include:

  • Passwords
  • IDs
  • Usernames
  • Email addresses
  • Cell phone numbers
  • Credit card information
  • Social security numbers

Credential Harvesting Attack Techniques

There are many different ways a criminal can try to steal a copious amount of valuable credentials. These are some of the most popular credential harvesting attack techniques.


Spear pishing and whaling attacks are not considered credential harvesting attacks because they’re more personalized and usually target only a handful of users.

However, more generic phishing attacks that involve emails sent in bulk to try to convince a user to hand over sensitive information are considered a credential harvesting tactic.

Similar attack vectors include vishing and smishing.


A keylogger is a type of malware that logs your keystrokes.

That means that every time you type your ID and password into a website, it’s being recorded and sent to a command and control server where a hacker can sell it or use it to carry out a more sophisticated and targeted attack.

Fake Wi-Fi Access Points

You may be tempted to use that public Wi-Fi connection, but doing so jeopardizes the safety of sensitive information.

While you think you’re logging into a government-provided Wi-Fi as you browse the Internet in a public park or the super secure Wi-Fi connection provided by a coffee shop, you may well have logged into an insecure network.

An evil twin attack occurs when a hacker sets up an insecure network access point that impersonates a trusted network.

Once logged into this network, the cybercriminal can use a captive portal and monitor your traffic to capture your credentials.

Session Hijacking

Session hijacking occurs when a black hat hacker takes over your internet session.

Imagine being signed into your bank account when a hacker uses session-grabbing techniques to gain access to a session cookie and then your bank account and login credentials.

There are various ways a hacker may gain access to a valid computer session, including:

  • Brute force attack to guess a session ID
  • Cross-site scripting by injecting malicious scripts into web pages
  • Tricking legitimate users into installing malware capable of hijacking an internet session
  • Session fixation, where users are tricked into using a session ID controlled by a hacker

Malware and Spyware

Various types of malware can be designed and deployed to collect user credentials, but you’ll most commonly see malware and spyware deployed via a phishing attack sent to thousands of users.

Once the malware is clicked, the malicious program will run, and credentials will be automatically collected.

malware stats

Real-World Credential Harvesting Examples

All this can seem somewhat abstract until you see how a credential harvesting attack occurs in the real world. So, here are some examples for you to better understand what we’re dealing with.

AT&T Attack

AT&T is the largest telecommunications company in the United States. As such, it has a wealth of information that, if accessed, could be sold for a hefty profit.

That’s exactly what hackers did in 2021 when they gained access to the sensitive information of over 70 million customers and attempted to sell it on the dark web.

Some of the information hackers accessed included:

  • Passwords
  • Full names
  • Email addresses
  • Mailing addresses
  • Phone numbers
  • SS numbers
  • Date of birth
  • Account numbers

These stolen credentials were later being sold on the dark web for a whopping one million dollars.

The hack took place in 2021, but at the time, AT&T denied that the information accessed was their own customer data. Eventually, after the illegally accessed information resurfaced on the dark web, AT&T publicly admitted to it.  

Not much is known about how the attack was carried out. However, it was revealed that sensitive information was being stored in an encrypted format that could easily be decrypted.

Roku Attack

In April 2024, it was first reported that Roku suffered a credential stuffing attack that compromised 576,000 Roku accounts—its second hack of the year.

The hackers used credentials that were made public in a seperate credential stuffing attack and used that to access the compromised Roku accounts.

Being that many users use the same passwords and login information for various accounts, these hackers were ultimately able to gain access to hundreds of thousands of accounts on other services.

The hackers were only able to make in-app purchases on about 400 accounts using the credit card on file, but they were unable to gain access to credit card information and use the customers cards to make out-of-app purchases.

As a response, Roku now requires users to create new passwords and set up two-factor authentication.

Credential Harvesting Attack Impacts

We’ve seen the impacts on individuals when compromised Roku accounts are charged for purchases they never made; but when it comes to compromised credentials, a $10 charge for renting a movie should be the least of your worries.

As we’ve seen in the Roku hack, many users reuse the same login credentials across various accounts, meaning that a leaked account could gain access to a myriad of more important ones.  

Once a hacker has your personal identifiable information (PII), they may decide to steal your identity, open financial accounts in your name, and commit other forms of financial fraud that could leave you in debt or with a tarnished credit score that takes years to improve.

From an organization’s standpoint, being the victim of a data leak could be equally impactful.

IBM reported that the average cost of a data breach for a company was $4.3 million USD. 

These costs come from compensating customers, creating accounts to monitor one’s credit, fines, legal fees, and investments in new security systems.

This calculation doesn’t even take into account the revenue loss that comes from customers deciding not to use a company’s services anymore.

Detection of Credential Harvesting Activities

We know what credential harvesting attacks are and how damaging they can be. Now it’s time to fight back and learn the best ways to detect that personal information is being stolen.

We’ve seen that not all credential harvesting attacks are the same. In fact, there are various types of harvesting attacks that a hacker may use to steal information.

This means security teams must use an array of cyber security tools and tactics to detect when information is being illegally obtained.

Here are a few detection methods companies employ to secure their data.

Data Loss Prevention (DLP)

A data loss prevention solution helps identify sensitive information and prevent it from leaving a company’s network. This solution helps companies monitor their sensitive data, ensuring it doesn’t get into the wrong hands.

Intrusion Detection/Prevention System (IDS, IPS)

Both an IDS and an IPS monitor network traffic and flag anything that looks out of the ordinary.

The difference between these two is that while both can detect anomalous traffic, only an IPS can take a predetermined action to address it. An IDS will only alert you that suspicious traffic has been detected.

Antivirus Software

Antivirus software will use signatures to detect if you have malware on your computer.

As most credential stuffing techniques use malware to carry out an attack, it’s vital that antivirus software is used to detect and delete nefarious software.

Packet Sniffing Tools

A tool like Wireshark can be used to gain a clearer understanding of where certain information is being sent.

If an IDS has flagged unusual outbound traffic you would use a packet sniffer to further investigate and potentially find that customer data is being sent to a suspect IP address.

Security Information and Event Management (SIEM)

A SIEM captures every piece of data that circulates within your network. Every time someone logs in, changes a password, or sends data, it’s logged in the SIEM.

So, if someone attempts to escalate privileges, change a password, or make various unsuccessful attempts to gain access to information—all behaviors associated with credential harvesting—it’ll be logged and potentially reviewed at a later time.

Preventive Measures Against Credential Harvesting

While it’s important to be able to detect when you’re under attack, the best way to protect yourself is to take preventative measures.

We recommend using a defense in-depth solution and using a variety of strategies to keep your customers’ data safe.

Education and Awareness Training

You can have a whip-smart SOC team and use all the latest technology, giving your company an ostensibly solid security posture. But all this is no good if non-cyber employees lack basic cyber security knowledge.

Every employee plays a role in keeping an organization and its customers safe from cybercrime. Some cyber security awareness topics you’ll want to cover include:

Use of Advanced Authentication Methods

You don’t just want anyone to access company systems and information. Make sure only those with the right permissions can do so.

Keep information safe by using advanced authentication methods. More than anything, this means using multi-factor authentication to gain access to data and systems.

It’s important that users choose solid passwords, but sometimes this isn’t enough to keep your company safe from a hack. Authenticate a second time via email, biometrics, SMS, or an authenticator app.

Regular Updates and Patch Management

The easiest and most powerful way to protect against hackers exploiting a vulnerability and hacking your company is to simply update your software.

IT companies are always finding bugs and creating patches. It’s up to your IT and cyber security team to regularly update their systems with these security patches.

Secure Configuration

Default settings aren’t the safest. If you’re thinking that default settings on network and endpoint devices will secure your network, you’re wrong.

Out-of-the-box settings need to be adjusted to protect your network from attacks.

Legal and Regulatory Considerations

Governments worldwide understand the importance of protecting customer data. As such, they require companies to comply with a number of laws designed to pressure them to protect personal data.

Here’s a list of laws and regulations implemented by governments around the world:

Should companies not comply with these laws, they’ll be issued stiff financial penalties.

Perhaps, two of the most impactful regulations are HIPAA and GDPR.

HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that establishes national standards for protecting patients’ medical records and personal health information.

This law requires companies storing health data to use specific security controls to prevent sensitive data from getting into the wrong hands.

GDPR, or the General Data Protection Regulation, is widely known as the strongest data privacy and security law ever created. It requires companies that house data from European customers to comply with a strict list of security measures.

The fines for violating GDPR are very high, reaching up to 20 million euros or 4% of a company’s global revenue—whichever is higher. Data owners also have the option to seek compensation for damages.


Credential harvesting is becoming an even more common practice as hackers continue to understand the value of customer data.

This year, IBM reported that 30% of all cyber attacks used valid credentials collected through credential harvesting efforts.

It’s important that cyber professionals, companies, and customers understand the credential harvesting definition and how to best defend against these attacks.

Laws and regulations will keep companies in check, but ultimately keeping data safe from prying eyes is a team effort.

To learn about how credential stuffing is used to carry out devastating attacks we encourage you to join StationX’s Accelerator Program.

Here, you’ll have access to over 1,000 cyber security labs and courses. You’ll also receive one-on-one support and mentorship, join a mastermind group, and team up with fellow members.

To learn more about credential harvesting, consider signing up for these courses:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Spencer Abel

    Spencer is part cyber security professional and part content writer. He specializes in helping those attempting to pivot into the vast and always-changing world of cyber security by making complex topics fun and palatable. Connect with him over at LinkedIn to stay up-to-date with his latest content.