What Is Credential Harvesting?

Bart Lenaerts-Bergmans - July 19, 2023

Credential Harvesting Definition

Credential harvesting is a cyberattack technique where cybercriminals gather user credentials — such as user IDs, email addresses, passwords, and other login information — en masse. The hacker can then use the credentials to access systems and gather data or other sensitive information, sell or share them on the dark web, and/or advance a more sophisticated attack.

How does credential harvesting work?

Most commonly, a credential harvester — the mechanism hackers use to gather login information — is installed as a malicious extension to a website or application. Once in place, the harvester records any information users enter during the login process.

Because credential harvesters record all logins indiscriminately, cybercriminals can create a stockpile of usernames and passwords. This poses a significant threat to organizations and individuals alike, since people commonly reuse passwords across many different accounts, sometimes for years at a time.

If a cybercriminal has access to one or more compromised passwords an individual used in the past, that credential provides them with an excellent starting point to guess their login information for other sites or systems. Ultimately, the criminal’s goal is to access sensitive information (such as bank account details or health records) and/or corporate networks, databases, systems, or programs used as part of the target’s job.

Common techniques used in credential harvesting attacks

Credential harvesting is typically carried out in conjunction with another cyberattack technique. Some of the most frequent attack methods include the following:

  • Malware: Malware is one of the most common ways credential harvesting attacks occur. In these attacks, a cybercriminal will often send a mass email that contains an infected attachment. Once downloaded, the file will deploy malware on the machines of unsuspecting users to automatically capture and record their login credentials.
  • Phishing: Phishing attacks often abuse trust in popular brands to trick victims into giving up their credentials. In large-scale credential harvesting attacks, the criminal will typically send a mass email that lures recipients into visiting a malicious website where they enter their credentials. As in malware attacks, the credential harvester captures and saves this information.
  • Domain spoofing: Domain spoofing is a form of phishing where an attacker impersonates a known business or person with a fake website or email domain to fool people into trusting them. The domain may appear to be legitimate at first glance, but a closer look will reveal that a W is actually two Vs or a lowercase L is actually a capital I. (The practice of deliberately misspelling and registering a malicious website that capitalizes on misdirected web traffic is sometimes referred to as typosquatting.) The credential harvester installed in the spoofed site will then save information shared by users who are tricked into interacting with the site or app.
  • Man-in-the-Middle (MitM) attacks: Man-in-the-Middle attacks occur when a threat actor is able to intercept and relay communications between two parties that believe they are communicating with each other. MitM attacks allow attackers to steal credentials and other sensitive information relayed between the two parties and let them eavesdrop on all communication, enabling them to mine for more information.

Learn More

Read this article to stay on top of the most common types of cyberattacks and learn how to stay protected from them. Most Common Types of Cyberattacks

The risk of credential harvesting

Having a user’s real credentials is extremely valuable to hackers because it allows these actors to impersonate the account owner and appear as someone who has legitimate access, such as an employee, contractor, service account, or third-party supplier. Because the attacker looks like a legitimate user, this type of attack is challenging for traditional security defenses to detect.

And because so many people share credentials across many accounts, it is possible that the hacker can use a stolen email address and password from one application or account to unlock access to more sensitive systems, databases, or programs.

Having access to real system credentials allows sophisticated threat actors to establish a foothold within the organization. Once inside, these individuals can attempt to move laterally or escalate privileges. They can also download, encrypt, or alter data or other sensitive information.

Finally, once hackers have access to legitimate credentials, they can lay the groundwork for larger, more advanced attacks or set up backdoors to ensure they continue to have access even if their initial point of entry is detected or expires.

Why is credential harvesting growing?

In the connected workplace, employees often rely on dozens of online accounts. It can be difficult for users to keep track of login credentials to all accounts. This difficulty increases the likelihood people will cut corners on cybersecurity, leaving themselves and their companies vulnerable to a cyberattack.

As more organizations have been leveraging single sign-on (SSO) technology to enable a remote workforce and reduce friction within the user experience, attackers have come to recognize the inherent vulnerability of stored passwords and user credentials.

Identity-based attacks where adversaries pose as legitimate users are particularly difficult to detect because most traditional cybersecurity solutions cannot differentiate between a real user and an attacker masquerading as one.

Protecting against credential-based attacks is critical because this technique often serves as a gateway to other, more serious security issues, such as data breaches, identity theft, and malware or ransomware attacks.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

How to prevent credential harvesting attacks

Because credential-based attacks target individuals, the best line of defense against these techniques is an informed and engaged workforce. Organizations should take steps to educate their employees on the tell-tale signs of credential attacks, how to protect themselves, and what to do if they suspect they have encountered a credential attack.

 Steps individuals can take to withstand credential attacks

 1. Use strong, unique passwords.

Strong passwords are more difficult for attackers to crack. Unique passwords limit damage in the event a password is compromised. Employees should change passwords regularly and never recycle old passwords. Rather than writing down passwords or saving them in a file, people should consider using a password storage tool from a reputable service provider to help them use complex passwords and protect against compromise.

 2. Never open attachments from unknown users or click links from suspicious sources.

Cybercriminals often use urgency or fear to prompt people to open attachments or click links. Whenever you receive a message that seems unfamiliar or suspicious, read it carefully and calmly before taking action. Rather than clicking on links or files in the message, open a new browser and log in to your account manually to see if you have received the same message via an official channel.

3. Use an up-to-date browser and software.

Regardless of your system or browser, make sure you are always using the latest version. Pay attention to system messages and alerts that urge the user to update the system, particularly if the message indicates that the update will patch known security issues.

 4. Never reply to spam.

Responding to phishing emails lets cybercriminals know that your address is active. They will then put your address at the top of their priority lists and retarget you immediately.

5. Avoid public Wi-Fi connections or unsecure networks.

Public networks are often used by cybercriminals for MitM attacks and other cyberattacks. When using these networks, it is possible that a hacker can eavesdrop on all communication and steal information relayed during the session, such as login credentials.

Steps organizations can take to strengthen security defenses

Companies should also take steps at the corporate level to ensure they are protecting their business, customers, and assets from credential harvesting and other cyberattacks.

1. Conduct regular, robust security awareness training.

Knowledge is power. By training users to recognize credential attacks and the social engineering, phishing, and malware techniques associated with them, organizations can turn their employees into a critical layer of defense for their IT environment. For more information on how to develop and implement a cybersecurity training program, please read our related post here.

2. Enable and require multi-factor authentication (MFA).

MFA requires users to present two or more pieces of evidence to verify and authenticate their identity before they are granted the access they are requesting. MFA techniques raise the barrier to entry for attackers by preventing them from compromising applications and systems with a single password.

3. Use a cloud infrastructure entitlement management (CIEM) solution.

CIEM solutions help enterprises manage entitlements across their cloud infrastructure resources. The primary goal of tools like CrowdStrike Falcon® Cloud Security, which includes CIEM capabilities, is to mitigate the risk that comes from the unintentional and unchecked granting of excessive permissions to cloud resources. By removing unnecessary privileges, organizations can reduce the threat posed by a compromised account.

4. Properly scope permissions across users and machines.

It is critical for organizations to understand the privileged access that users and devices have. Accounts that can be used to access sensitive systems, data, and applications must be tightly managed to meet the security and compliance mandates of the modern enterprise.

5. Add proactive threat hunting.

True proactive threat hunting enable 24/7 hunting for unknown and stealthy attacks that utilize stolen credentials and are conducted under the guise of legitimate users. These are the types of attacks standard measures can miss. Employing the expertise gained from daily “hand-to-hand combat” with sophisticated advanced persistent threat (APT) actors, the Falcon Counter Adversary Operations team finds and tracks millions of subtle hunting leads daily to validate if they are legitimate or malicious, alerting customers when necessary.

Learn More

Stay vigilant with the industry’s only unified threat intelligence and hunting team that delivers 24/7 hunting, automated investigations, and expert insights to enable organizations to outpace the adversary.CrowdStrike Falcon® Counter Adversary Operations


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.