From 157ca7412be9a81615918a31c663e936dc311af5 Mon Sep 17 00:00:00 2001
From: SmallParty <serena@divd.nl>
Date: Tue, 19 Nov 2024 15:48:43 +0100
Subject: [PATCH] =?UTF-8?q?Update=20Articles=20=E2=80=9Csecuring-the-digit?=
 =?UTF-8?q?al-world-no-we-don-t-steal-credentials=E2=80=9D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...-world-no-we-don-t-steal-credentials.en.md | 40 +++++++++++++------
 1 file changed, 27 insertions(+), 13 deletions(-)

diff --git a/content/newsroom/articles/securing-the-digital-world-no-we-don-t-steal-credentials.en.md b/content/newsroom/articles/securing-the-digital-world-no-we-don-t-steal-credentials.en.md
index 5656cc02..e3323e44 100644
--- a/content/newsroom/articles/securing-the-digital-world-no-we-don-t-steal-credentials.en.md
+++ b/content/newsroom/articles/securing-the-digital-world-no-we-don-t-steal-credentials.en.md
@@ -1,6 +1,6 @@
 ---
 title: "Leaked credentials: What we do to keep you safe"
-date: 2024-11-19T15:26:00+01:00
+date: 2024-11-19T15:48:00+01:00
 author: []
 tag: news
 intro: On our website, you might have found a page called ‘how we deal with leaked credentials’ or spotted the case ‘DIVD-2020-00013 Leaked phishing credentials’. Does this mean that our volunteers send out phishing emails and leak the obtained credentials of innocent victims? Of course not!
@@ -12,40 +12,54 @@ faq: null
 ---
 **Nov 19, 2024** by [Serena de Pater](https://www.divd.nl/who-we-are/team/people/serena-de-pater/)
 
+### What are leaked credentials?
+
+Leaked credentials refer to compromised usernames and passwords that are inadvertently or maliciously exposed to unauthorized individuals. These credentials are typically obtained through methods such as malware, phishing, or hacking. Once compromised, they are sold, traded, or exchanged on a large scale, making them readily available to cybercriminals.
+
+The problem of leaked credentials is rapidly increasing. These compromised combinations allow cybercriminals to bypass advanced technical defenses. Leaked credentials can be compared to an envelope with an address on it, containing a key to the front door. Since many people reuse their username and password combinations across different accounts, this can lead to widespread breaches. Without multi-factor authentication (MFA) during login processes, a single leaked credential set may grant cybercriminals access to your home, business, or sensitive data.
+
 ### Do we leak credentials?
 
-No, we don’t leak credentials. Our goal is to make the digital world safer by reporting vulnerabilities we discover in digital systems to those who can address them. We do this by identifying new zero-day vulnerabilities, scanning for known CVEs, and, thanks to our extensive network and strong connections in the cybersecurity community, acting on tips from our peers when necessary. Occasionally, we receive tips about so-called leaked credentials. One example of such a case is [DIVD-2020-00013](https://csirt.divd.nl/cases/DIVD-2020-00013/). 
+No, we don’t leak credentials. Our mission is to make the digital world safer by reporting vulnerabilities we discover in digital systems to those who can address them. We do this by identifying new zero-day vulnerabilities, scanning for known CVEs, and, thanks to our extensive network and strong connections in the cybersecurity community, acting on tips from our peers when necessary. Occasionally, we receive tips about so-called leaked credentials. One example of such a case is [DIVD-2020-00013](https://csirt.divd.nl/cases/DIVD-2020-00013/), which involved a phishing campaign impersonating the videoconferencing platform Zoom.
 
 {{< callout type="info" >}}
 
 ### Our first case of leaked credentials
 
-At the end of November 2021, cybercriminals were involved in a phishing campaign where they impersonated the videoconferencing platform Zoom. If a victim fell for this scam and entered their personal credentials, those credentials got stolen by criminals. 
+At the end of November 2021, cybercriminals engaged in a phishing campaign posing as Zoom. If a victim fell for this scam and entered their personal credentials, those credentials got compromised.
 
-While researching this phishing campaign, a researcher from a partner organization discovered that the phishing infrastructure accidentally leaked the illegally captured usernames and passwords, because they were stored in improperly secured directories. This way, not only the cybercriminals had access to the credentials, but they were accessible to the public as well. The leaked credentials were downloaded from the internet. After connecting and collaborating with our partners, our CSIRT received the Dutch part (386 credentials) of the harvested credentials, so that we could inform potential victims. 
+While investigating this phishing campaign, a partner organization discovered that the compromised usernames and passwords were stored in improperly secured directories, unintentionally exposing them to public access. This meant that not only the criminals but anyone could access the credentials. The leaked credentials were downloaded from the internet. After connecting and collaborating with our partners, our CSIRT received the Dutch part (386 accounts) of the harvested credentials, so that we could inform potential victims. 
 
 {{< /callout >}}
 
+### How do we get leaked credentials?
+
+Leaked credentials come into our possession through trusted sources, such as tips from partners in the cybersecurity community, or as part of investigations into specific incidents. For example, in phishing campaigns, the infrastructure used by cybercriminals may inadvertently expose compromised credentials, allowing researchers to recover them.
+
 ### What do we do with leaked credentials?
 
-When a breach involves a relatively small number of accounts (approximately fewer than two million email addresses), we inform the affected individuals [directly](https://www.divd.nl/warningemail/). For larger breaches, we create two types of data summaries or ‘extracts’.
+Our priority is to ensure the data is handled responsibly, minimizing harm while protecting individual privacy. When a breach involves a small number of accounts (fewer than two million), we [directly inform affected individuals](https://www.divd.nl/warningemail/). 
 
-- Email Domain Summary – Lists main email domains (like "example.com") and the count of unique email/password combinations for each.
-- URL Domain Summary – Lists main domains from URLs tied to passwords and the count of unique email addresses for each. Only if the breach data includes website addresses (URLs) tied to the passwords.
+For larger breaches, we create two types of summaries:
 
-We then share these summaries with relevant organizations, such as national CERTs (Computer Emergency Response Teams), CSIRTs (Computer Security Incident Response Teams), and security teams. These organizations can identify the domains relevant to them and request specific data for those domains, enabling them to inform the affected victims.
+- **Email Domain Summary** – Lists main email domains (like "example.com") and the count of unique email/password combinations for each.
+- **URL Domain Summary** – Lists main domains from URLs tied to passwords and the count of unique email addresses for each. Only if the breach data includes website addresses (URLs) tied to the passwords.
 
-Needless to say, we don’t send leaked passwords in plain text to our partners. All traffic is encrypted, and the passwords are masked before sending. For example, for passwords that contain 10 characters or more, we only send the first two and last two characters and replace all other characters with an asterisk. To address ethical concerns about sharing PII with governments from countries with poor human rights records, we will only provide data to government organizations in countries that score above 4 on the most recent [Human Rights Index](https://ourworldindata.org/grapher/human-rights-index-vdem).
+We share these summaries with relevant organizations like national CERTs, CSIRTs, or corporate security teams. These teams can identify affected domains and request specific data to inform victims.
 
-### Why our work matters
+To protect privacy, we never send plain-text passwords. All traffic is encrypted, and the passwords are masked before sending. For example, for passwords that contain 10 characters or more, we only send the first two and last two characters and replace all other characters with an asterisk.  To address ethical concerns about sharing PII with governments from countries with poor human rights records, we will only provide data to government organizations in countries that score above 4 on the most recent [Human Rights Index](https://ourworldindata.org/grapher/human-rights-index-vdem).
 
-The problem of leaked credentials is rapidly increasing. Usernames and passwords are often stolen through methods such as malware, phishing, or hacking. Once obtained, these stolen credentials are sold, traded, and exchanged on a large scale. Cybercriminals who acquire a set of usernames and passwords no longer need advanced technical skills to infiltrate a company or an individual's account. Leaked credentials can be compared to an envelope with an address on it, inside of which is a key to the front door. And unlike physical keys, passwords often work on multiple doors because people have the habit of reusing username and password combinations. If multi-factor authentication (MFA) is not enabled during the login process, this is all the criminals need to access your home, your company, and your sensitive data.
+### How do we keep sharing of leaked credentials safe?
 
-As volunteers, we have taken it upon ourselves to inform victims of cybercrime—not only those with vulnerable systems but also those whose credentials have been leaked online. Would you like to read more about how we deal with leaked credentials? Please visit our [CSIRT Page](https://csirt.divd.nl/credentials/). 
+We strictly follow ethical and privacy guidelines to ensure that the sharing of leaked credentials is conducted safely. By encrypting all communications, masking sensitive data, and limiting access to trustworthy organizations, we protect victims’ information while enabling them to take action.
+
+We are also mindful of human rights concerns. When working with government entities, we ensure that only those in countries with strong human rights records receive access to sensitive data.
 
 ### Are leaked credentials a security vulnerability?
 
-Yes, leaked credentials can be considered an example of a cybersecurity vulnerability. Both leaked credentials and vulnerabilities (CVE’s) can be exploited by cybercriminals. A leaked credential set often leads to security breaches or attacks, just as an unpatched vulnerability can be exploited to gain unauthorized access or cause damage.
+Yes, leaked credentials represent a significant cybersecurity vulnerability. Like unpatched software vulnerabilities (CVEs), leaked credentials can be exploited by criminals. These breaches often lead to unauthorized access, data theft, or other forms of cyberattacks.
+
+As volunteers, we have taken it upon ourselves to inform victims of cybercrime—not only those with vulnerable systems but also those whose credentials have been leaked online. Would you like to read more about how we deal with leaked credentials? Please visit our [CSIRT Page](https://csirt.divd.nl/credentials/). 
 
 ### Cases involving leaked credentials