Credential Leaks and Infostealers: An Analysis and Preventive Measures

In recent years, credential leaks and the action of infostealers—malwares designed to steal sensitive information from computers and devices—have become a growing concern for individuals and organizations. The recent attack on Santander Bank, which affected customers in Spain, Chile, and Uruguay, highlights the importance of understanding these threats and implementing effective preventive measures.

The hacker group known as ShinyHunters has been a constant presence in the cybersecurity landscape since its formation in 2020. They specialize in invasions and data leaks, with information often sold on the dark web. The name is supposedly inspired by shiny Pokémon, which are found rarely in the games of the franchise. Similarly, ShinyHunters seek valuable data in their cyber incursions and have an impressive track record of attacks on various organizations and online platforms, such as the attack on Wattpad in 2020, when they exposed 270 million user records, and on AT&T Wireless the following year, when they began selling information from 70 million subscribers, including phone numbers, personal data, and social security numbers.

In the most recent case, Santander identified unauthorized access to a database hosted by a third-party provider. Immediate measures were taken to contain the incident, including blocking the compromised access to the database. Information related to Santander customers in the three affected countries, as well as current employees and some former employees, was accessed.

Although no transactional information or credentials for transactions (such as online banking details and passwords) were contained in the database, and banking operations and systems were not affected, the perception of banking security is shaken in such a situation. Investors and customers may question the banks’ ability to protect their data and transactions. And, as in other business activities, customer trust is essential for the success of any financial institution.

To mitigate the risks associated with credential leaks and infostealers, organizations and individuals should adopt protective measures. One of the main ones is credential management. For this, we suggest encouraging the use of strong and unique passwords for each service and implementing two-factor authentication (2FA) whenever possible, in addition to regularly monitoring data leaks to check if user credentials have been compromised.

Another fundamental aspect is updates and patches. It is advisable for organizations to keep operating systems, applications, and plugins updated to fix known vulnerabilities and to regularly check for security updates, to apply them promptly. User awareness is also a front of action that we must highlight. The suggestion in this case is to educate employees about the risks of phishing and the importance of not reusing passwords, as well as conducting regular training to increase awareness of cybersecurity. Regarding monitoring and detection, we recommend using security tools to detect suspicious activities, such as unauthorized access attempts, and monitoring the dark web for credential leaks associated with your organization.

The cooperation of employees plays a crucial role in cybersecurity. They must be aware of the risks, follow the company’s security policies, and report any suspicious activity. In addition, employee cooperation to participate in awareness and training programs strengthens the organization’s security posture. Preventive measures can and should be adopted to protect organizations and individuals against these growing threats.

Ronaldo Andrade, CISO (Chief Information Security Officer) at Horiens.