From passwords to profiles: How leaked credentials build full digital identities

Whether obtained accidentally or unlawfully through cyber-attacks, leaked credentials can have a serious impact—including identity theft, financial fraud, and privacy breaches.

Leaked credentials can include login information such as usernames and passwords, session cookies, or application programming interface (API) secrets, which are exposed to unauthorised personnel.

Gaining unauthorised access is one of the first steps in launching a cyberattack. Once access is obtained, these credentials can be misused for unauthorised access to information systems, posing significant security risks to both individuals and enterprises.

The profile can be malevolently changed and updated, leading to a compromised account. ISACA’s 2025 Quantum Computing Pulse Poll has an eye-opener: Cybercriminals are already collecting data to decrypt with quantum computing. A little more than half the people who were surveyed are worried about “harvest now, decrypt later” attacks.

Here’s how the process typically unfolds: A third-party platform gets hacked, exposing user data such as email addresses, usernames, and passwords. These hacks can occur due to vulnerabilities in software, unpatched systems, or weak security practices that get exploited by threat actors.

Credentials are sold or shared on the dark web or in combo lists, files containing millions of username-password pairs. Credential stuffing attacks are performed. Automated bots test these credentials across hundreds or thousands of websites and services.

This method is efficient because attackers use valid credentials, making it faster than brute-force attacks. When a match is found, attackers can log in, bypassing multi-factor authentication (MFA) in some cases, thereby gaining unauthorised access to escalate privileges, exfiltrate data, or deploy ransomware.

Identity theft can manifest in many ways. The credentials can be exploited to impersonate a person. This threat actor imposing a contact can send a message to an already existing contact, such as on Facebook or WhatsApp, and request quick money because of an emergency, thus creating a sense of urgency.

The person receiving the message tends to believe the message, as it has come from someone appearing to be a known contact and perhaps ends up giving money. Sooner or later, the person who sent the money becomes a victim of a financial crime.

Social engineering attacks, such as phishing, involve tricking users into revealing their login credentials by posing as legitimate entities. In the case of phishing, attackers often send emails or create fake websites that closely resemble trustworthy services, prompting victims to enter their credentials. Once entered, these credentials are captured by the attackers.

Such an attack is highly effective because it exploits human weakness rather than technical vulnerabilities, making them a persistent threat to both individuals and organisations. According to ISACA’s latest State of Cybersecurity report, 19 per cent of organisations globally were attacked via social engineering last year.

But the story doesn’t have to end here. Robust access control security, including good password management practices, can help organisations protect themselves, the data and the data subjects.

Laws and regulations are starting to address the issue. In India, the Information Technology Act 2008 (Amendment) has provisions for “Cheating by personation using computer resource” under Sec 66D. The penalty for this offence is imprisonment up to three years, or/and with a fine of up to one lakh rupees.

To mitigate the risk of compromised credentials, ensure that passwords are of good quality, with a combination of alphanumerical characters consisting of capital and small letters, numbers and special characters, unguessable, unique for every account, i.e. being different across information systems, emails, banking accounts, social media accounts etc., changed frequently and changed in case of a cyberattack or suspicious activity on the account, used in combination with multi-factor authentication and monitoring for leaks.

At an enterprise level, conditional access policies that enforce stronger authentication or deny access based on unusual behaviours (e.g., geographic location, time of access) or device trust levels can be implemented.

Credential stuffing tools can aid in detecting and blocking automated login attempts, particularly on public-facing apps, by identifying patterns and limiting requests from suspicious internet protocols (IPs).

Just-in-time (JIT) access controls ensure credentials are only active for a limited time, reducing the likelihood that static credentials could be compromised and misused by unauthorised users. If you don’t take care of your account, someone else will help them with your information!

The author, Chetan Anand, is the AVP – Information Security and CISO at Profinch Solutions, ISACA Emerging Trends working group member and a national cyber security scholar

The opinions expressed in this article are those of the author and do not purport to reflect the opinions or views of THE WEEK.

Sci/Tech