User credentials such as email addresses and passwords are often reused across third-party sites. These poor password hygiene practices can amplify the consequences of a data breach, often resulting in “zombie password” attacks. While some data types become “stale” or less actionable over time, usernames and passwords retain value months and years after the initial compromise due to widespread lax password practices.

Threat actors commonly use stolen credentials to gain unauthorized access to victims’ social media accounts, email accounts, financial accounts, VPNs, remote desktop access services, business applica- tions, and other sensitive information. Threats to both individuals and organizations stemming from zombie password attacks vary based on actors’ motivations, but often include:

• Reputational damage
• Fraudulent financial schemes • Espionage
• Loss of sensitive data
• Physical security threats