How can we help?

What is a credentials breach?

Usernames and passwords help to protect access to sensitive information for your organization.  If a username and corresponding password are no longer secret because they've been shared with an unauthorized party or exposed online, we refer to this incident as a "credentials breach."  It is important to respond quickly if you suspect that credentials have been breached to prevent an attacker from getting into your organization's systems.

What do I need to do immediately?

At the minimum, to protect your organization, we recommend that you do the following:

1. Disable Unnecessary Accounts – Look at the user list for the system affected and consider whether all of these users still need an active account.  If they have left your organization, changed roles, or otherwise no longer require access then consider deactivating their account.
2. Reset Password – If there is a user who still requires an active account and you think their credentials may have been breached, then contact them to reset their password.  Changing the password for this account means that attackers will no longer have valid credentials to get into the affected system.

What else can I do to protect my organization in the future?

To ensure that your organization is better protected against future attacks, we would also recommend that you do the following:

1. Separate Accounts for Each User – Where possible, have a separate unique account for each user.  Having one account with credentials shared between multiple people can increase the likelihood of a security incident.
2. Enforce Password Expiration – Regularly changing passwords ensures that even if credentials are exposed, such as this situation, then vulnerability is time limited.  We recommend that you have system enforced password changes every 90 days.
3. Disable Inactive Accounts – Consider automatically deactivating accounts if they have been inactive for a certain period.  This reduces risk that attackers could use inactive or unmonitored accounts to gain access to systems.
4. Add or Enforce Multifactor Authentication (MFA) – Consider adding multifactor authentication for systems which are accessible from the public Internet.  This means a username, password, and additional piece of information (such as code from a text message or prompt from an app) will be required to log-in.  This makes it more difficult for attackers because they cannot get into your system even if they have a username and password.

Who else should I notify?

Depending on the system and data affected, you might have certain legal and regulatory obligations.  If you suspect that a credentials breach and/or data breach has occurred, then notify your cyber insurance provider and legal representative to get guidance on next steps.