How initial access brokers (IABs) sell your users’ credentials

Even if you haven’t looked into the methods of initial access brokers (IABs), you've almost certainly read about their handiwork in recent cyber-attacks. These specialized cybercriminals break into corporate networks and sell stolen access to other attackers. Think of them as high-tech locksmiths for hire — they crack security systems and sell the "keys" to ransomware groups and cyber criminals who launch their own attacks.

To understand how IABs operate, consider a recent incident targeting Amazon Web Services (AWS) customers. The attackers systematically scanned AWS systems for vulnerabilities, stealing over two terabytes of sensitive data, including thousands of credentials — from AWS access keys to database logins.

True to the IAB business model, they sold this stolen access through private Telegram channels, allowing other criminals to target the compromised organizations.

So how can your business protect itself against IABs? Here’s what you need to know about how IABs operate, why they prize user credentials above other digital assets, and the steps you can take to fortify your organization’s defenses. 

How IABs run their criminal enterprises

IABs run their operations like legitimate businesses, complete with customer service teams, tiered pricing models, and money-back guarantees if their stolen access doesn't work. And they have something for everyone on the dark web. For small-scale criminals who have funds but lack technical expertise, IABs provide an entry point to high-value corporate targets they could never breach independently.  

For more sophisticated attackers, particularly ransomware groups, IABs offer a valuable efficiency boost — instead of wasting weeks trying to break in, they simply buy guaranteed access and immediately begin deploying malware or stealing data.

 As a result, cybercrime is more efficient. IABs handle the heavy lifting of infiltrating the network while their customers concentrate on monetizing access with their own attacks. 

One-stop-shopping

IABs provide cybercriminals with one-stop-shopping for their nefarious deeds, hawking everything from basic VPN credentials and remote desktop access to powerful admin accounts and cloud service tokens.

Their sales listings typically include detailed information about the victim organization — like annual revenue, industry sector, and number of employees — allowing buyers to hand-pick targets that best suit their goals.

A basic user account may sell for a few hundred dollars, while an email administrator’s credentials could command $140,000.

Why IABs love compromised credentials

Compromised credentials remain their most valuable commodity among all the types of access IABs sell. And recent breaches at major companies demonstrate how devastating stolen credentials can be. 

• In late 2024, attackers used credential stuffing to exploit Geico's online quoting tool, exposing the data of 116,000 customers and resulting in a $9.75 million fine. 
• During the same period, ADT experienced two credential-based breaches within just two months — first exposing 30,000 customer records on a hacking forum, then suffering another breach when attackers used credentials stolen from a business partner to infiltrate its internal systems. 

These incidents highlight that even companies with substantial cybersecurity budgets can fall victim to attacks that begin with compromised credentials. 

The massive scale of credential compromise

The scale of credential compromise is staggering.

The 2024 IBM Cost of a Data Breach Report found that stolen or compromised credentials were responsible for 19% of all breaches, with these incidents taking an average of 292 days to identify. And the 2024 Verizon Data Breach Investigations Report found that stolen credentials were the first line of attack in 24% of all breaches.

The role of threat intelligence solutions

So how can your organization keep its data and systems safe? One of the best ways is to use threat intelligence tools proactively to help identify compromised credentials before attackers can use them. Modern threat intelligence platforms continuously monitor dark web markets, paste sites, and underground forums where credentials are traded. And if employee credentials appear in new data dumps or are offered for sale by IABs?

A threat intelligence platform can alert your security team, allowing them to immediately force password resets, lock affected accounts, and investigate suspicious activity. 

But monitoring alone isn't enough — your organization must create and enforce robust password policies that keep employees from using compromised credentials in the first place.

Consider implementing a specialized solution like Specops Password Policy, which actively checks your organization's Active Directory passwords against a continuously updated database of over 4 billion unique known compromised credentials. 

The Specops database includes credentials found on the dark web by a human-led threat intelligence team.

By continuously scanning your Active Directory against this growing list of breached passwords, you add a layer of protection that prevents attackers from exploiting leaked credentials to infiltrate your network.

Reduce your IAB risk

While no solution can completely eliminate the threat from IABs, understanding how they operate and implementing strong credential protection measures can reduce your risk. Take a proactive approach, combining threat intelligence to know when your credentials have been exposed with robust password policies that prevent compromised credentials from being used.

By staying vigilant and maintaining a strong defense, your organization can reduce its vulnerability to credential-based attacks.

Compromised credentials are the easiest routes into your organizations – close them off today.

Try Specops Password Policy for free. 

Sponsored and written by Specops Software.