Also called a password dump, a dump is copying raw data from one place to another. In a credential dump, the attacker hacks your device, steals your credentials from the recorded state of your device’s working memory (RAM), and uses them to either:
A) Access your device and private information whenever they like if they steal your device unlock password or administrator password.
B) Access your other accounts if they steal all of your account credentials.
C) Access and infect other devices connected to the same network in preparation for a company-wide ransomware attack, for example.
The “dumping” term comes from the attacker copying and then “dumping” the stolen credentials onto their own device. What are credentials? Credentials are usernames and passwords, or biometric elements used to log in and access online accounts.
In most large breaches, credentials are dumped. In 2021, a compilation of 8.4 billion stolen and leaked credentials – dubbed RockYou2021 – appeared on a hacker forum. The previous year, in 2020, a hacker sold 538 million Sina Weibo accounts on the dark web that included people’s real names, gender, location, and phone numbers.
If you're wondering how much stolen data sells for, check out our dark web case study, where we cover that in-depth.
Whenever news breaks of a ransomware attack having paralyzed an entire organization, malware is often used to spread infection through the network. Credential dumping is often the first move in getting access to computers to deploy that malware from one computer to the next.
So yes, credential dumping, or credential stuffing, can affect you and your entire company network, acting as a precursor to paralyzing ransomware attacks, identity fraud, and theft.
The hacker could also steal a file from your computer's disk called the security account manager, or SAM, which contains a list of hashed passwords. If the hashing is weak or your passwords are too simple, they could be cracked individually.
Some hackers use you as a pawn to get “more valuable” credentials.
Operating systems rarely have security layers that secure main memory at all times. And because this information is unencrypted and in plaintext, it can be read and stolen if your device is infected with malware or spyware.
Mimikatz is a tool that dumps passwords , as well as hashes and PINs, from memory. Used by both penetration testers and malware creators, Mimikatz was a key player in the infamous attack on the NSA in 2017.
Mimikatz was invented by a researcher to better understand Windows security. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but it also loaded the secret key to decrypt them. This feature is useful for authenticating large numbers of users on a company network, for instance. But it also lets Mimikatz exploit this feature by credential dumping the memory.
Permission to access: system administrators should limit the number of users with administrative privileges to help prevent the theft of valuable credentials.
Remote admin login: administrators should never log in to a device that they suspect might be hacked or infected with malware. And organizations should never use the same admin password across an enterprise.
2FA: If your passwords have been stolen, the attacker will have a hard time using them if they have to bypass 2FA. Obviously strong passwords should be your very first line of defense.
Encrypt, encrypt, encrypt: Developers should encrypt data in memory to try and limit attacks to main memory. Developers should also clear the memory location of sensitive data to prevent attacks on system memory.
Don’t be a victim: Always scan your devices for spyware and malware. One of the ways you can expose your device to being infected with malware is by clicking on malware-riddled pop-up ads on suspicious websites. If you use the NordVPN app, the Threat Protection feature will block suspicious and malicious websites. If not, you can get 65% off NordVPN by clicking the red button below.