While credential harvesting might sound like a new farming technique, we haven’t decided to open a fruit-picking business on the side. On the contrary, credential harvesting, also known as username or password harvesting, is a type of cyberattack that targets personal data such as usernames, passwords, email addresses and user IDs.

Examples of how this data is used include:

  • Breaking into your business system and stealing confidential information
  • Hacking people’s Ticketek accounts to steal and on-sell their highly coveted TayTay concert tickets
  • Exploiting stolen credentials to insert malicious malware into a software update, like in the case of the infamous SolarWinds supply chain attack

A whopping 56% of the cyber incidents in the second half of 2023 involved compromised or stolen credentials. Compare this with ransomware attacks, which accounted for around 27% of the cyber incidents.

So, how do threat actors manage to get their sticky fingers on people’s personal login data? Here are some of the common methods:

  • Phishing – where a fraudulent email, posing as a genuine email from a known brand such as a bank, the government, or a software company, is sent directing people to enter their credentials into a malicious website.
  • Malware – cyber criminals send a mass email with an infected attachment that then deploys a program to their computer to capture and record their usernames and passwords.
  • Domain spoofing – the hacker designs a website that impersonates the website of a genuine, legitimate business to save login information that users share.
  • Man-in-the-Middle attacks – a threat actor intercepts the communication between two parties and captures any sensitive information shared.

For the victim of credential harvesting, be that a business or an individual, the impact is devastating. The cybercriminals could clean out your bank account, download your customer and employee data, hijack your system to send out malware via your supplier integrations… the list goes on.

Despite this, many businesses still don’t have a password management tool. We have talked previously about how human error is often the gateway that threat actors leverage to infiltrate your systems – you can check out previous blog posts on the topic here:

Here are some pro tips that LastPass offer to help keep you secure:

1. Treat all passwords as valuable to hackers – you might not be concerned about a hacker reading all of the junk emails hitting your Yahoo account. Regardless, if the password uses similar information to your banking account or your emails contain bank account information, you are exposing yourself to unnecessary risk.

2. Use a password manager for safe password sharing across multiple employees where necessary

3. A random, nonsensical list of works combined with symbols and numbers is more challenging to crack than individual words

At the end of the day, we know that people choose weak passwords, reuse the same passwords for multiple accounts, and sometimes think that multifactor authentication (MFA) is a pain in the rear end and not worth their time. For these reasons, it’s a no-brainer to implement a password manager. A password manager like LastPass makes the process so quick and simple that it is easier to generate strong passwords and store them in your vault than it is to type in abc123 each time.

Don’t expose yourself to unnecessary risk—the cost-benefit analysis of this single tool is well worth your while, no matter your business size.