While most Australians are enjoying festive celebrations, cybercriminals are hard at work testing billions of stolen usernames and passwords. Credential stuffing and brute-force attacks are relentless, automated campaigns designed to exploit weak or reused passwords. Executives and privileged users are particularly at risk during the Christmas period, when travel and remote logins increase. Attackers know that a single compromised account can provide access to sensitive business data or even allow them to bypass other defences. This ‘credential coal’ in the corporate stocking is one surprise every executive should avoid.
Credential stuffing leverages large databases of username-password pairs obtained from previous data breaches. Attackers use automated tools to test these credentials across multiple websites and cloud services, exploiting password reuse. Brute-force attacks, meanwhile, systematically attempt combinations of common passwords or patterns until access is achieved. Once an account is compromised, attackers can pivot to internal systems, escalate privileges, or launch further phishing campaigns.
The threat is magnified for executives, whose accounts often have broad system access or contain high-value information. Remote logins, mobile access and personal email forwarding rules provide multiple potential entry points. Holiday periods offer attackers the perfect storm: fewer staff to monitor logs, slower response times and executives using unfamiliar devices while travelling.
In recent years, several Australian organisations have reported credential-based breaches linked to password reuse. In FY2024–25, Cybercriminals are continuing their aggressive campaign of credential theft, purchasing stolen usernames and passwords from the dark web to access personal email, social media or financial accounts.
During the last holiday period, a new brute-force attack campaign leveraging the FastHTTP Go library was identified. This high-speed attack targeted Microsoft 365 accounts globally, aiming to gain unauthorised access through brute-force login attempts and spamming multi-factor authentication (MFA) requests. Campaigns like these use credential lists purchased on dark web forums, with many successful intrusions traced to reused or weak passwords.
The Essential Eight framework mitigates credential attacks by addressing both prevention and detection layers:
Achieving maturity across these controls creates multiple layers of protection. Even if one control fails, others will prevent or limit the attack’s success.
By combining Essential Eight maturity with disciplined credential management, executives can turn their ‘credential coal’ into a shining example of Christmas cyber preparedness.
