Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now
  • Blog
    • /
  • Phishing
    • /
  • Thousands of Stolen Credentials Accessible via Google Search as Cybercriminals Accidentally Make Them Public

Thousands of Stolen Credentials Accessible via Google Search as Cybercriminals Accidentally Make Them Public

Stu Sjouwerman | Jan 22, 2021

Google Search Credential StealingA publishing goof by cybercriminals on a WordPress site made files containing stolen passwords indexable by Google and were subsequently publicly available via search.

What initially started as a Xerox scan notification scam intent of stealing victim’s Office 365 credentials became a story of how even the bad guys make mistakes. According to a new report from Check Point, the attackers made a publishing mistake, causing the files containing the stolen passwords to be exposed across dozens of drop-zone servers.

Indexed by Google, the passwords could have been (or possibly were) used by opportunistic hackers if they knew what to search for. According to Check Point, they were able to find dozens of compromised WordPress servers hosting the malicious PHP files that collected and stored the compromised credentials.

Sure, it’s a rather big “if”, but it does go to show you that once a credential is compromised, you have no idea who has access to it, nor how it will be used to further cybercriminal activity.

The way to avoid such situations is to instruct users via Security Awareness Training on how to identify phishing attacks that use brand impersonation (such as Microsoft) to trick victims into giving up credentials in the first place.

Topics: Phishing Password Security

Are your user’s passwords ... P@ssw0rd?

Identify which users are using easily guessable or brute-forceable credentials before cybercriminals do. 

Get Your Weak Password Test

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

Stu Sjouwerman

ABOUT STU SJOUWERMAN

Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

Read more from Stu »

Subscribe the KnowBe4 Blog

Posts By Topic

View All