X-Industry

Recently, security researchers have uncovered close to 4,000 unique secrets inside nearly 3,000 PyPI packages https://pypi.org   and says that more than 760 of these secrets were found to be valid.  Overall, the researchers identified 151 individual types of secrets, including AWS, Azure AD, GitHub, Dropbox, and Auth0 keys, credentials for MongoDB, MySQL, and PostgreSQL, and SSH, Coinbase, and Twilio Master credentials.

Valid credentials pose a critical and immediate threat to organizations, as

The US Federal Bureau of Investigation (FBI) has issued a Private Industry Notification warning of malicious cyber actors using proxies and configurations for credential stuffing attacks on organizations within the United States.

See:  https://www.ic3.gov/Media/News/2022/220818.pdf

Credential stuffing is a form of brute force attack and shares many of the same commonalities that exploit leaked user credentials or ones purchased on the Dark Web that takes advantage of the fact that many individua

The volume of breach data, or exposed user credentials, has significantly increased in recent years.  The recent CompilationOfManyBreaches (COMB) breach was discovered in February 2021 and contains more than 3 billion unique sets of stolen user credentials.  The name of the breach file is accurate in that it contains breach data from numerous historical and recent data breaches all combined into one dataset.

While the risk associated with historical passwords is lower, users often re-use passwor