When a bad actor engages in a credential stuffing attack against our customer portal, we can immediately tell (when they get to 2fa and fail) that the credentials are good. It’s an easy call to lock the account and reach out to the customer for a reset.
Where it gets dicier, from my perspective, is with Darkweb intel from our providers on supposed customer username/password combos. If we get a list of 600 names, but have no basis for establishing the accuracy, it’s more difficult to justify enacting the same procedure, particularly since it’s entirely possible that the username/password combo is recycled from some other old source, has long since been changed, and may come up multiple times in these dumps.
One of our vendors allegedly tests customer credentials against breach dumps (although we’ve yet to see an instance of this occurring with our customers). With our internal users, we of course have no qualms about having pentesters going even so far as to brute force creds. But with customers, it has a different feel, even if we are just contemplating potentially trying to validate creds from our threat intelligence providers.
Has anyone else tested the validity of these creds? Do you just proceed as if they are valid?