Credential Harvesting
What is Credential Harvesting?
Credential HarvestingThe collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale.
Credential harvesting is the systematic capture of authentication data — passwords, session tokens, MFA codes, API keys — through phishing pages, malicious browser extensions, infostealer malware, or breaches of poorly protected databases. The stolen credentials are then validated by credential-stuffing scripts, used in account takeover, sold on criminal markets, or leveraged for follow-on intrusions like business email compromise. Modern infostealers such as Lumma or RedLine harvest browser-stored credentials, cookies, crypto wallets, and authenticator seeds in seconds. Defences include phishing-resistant MFA (FIDO2, passkeys), unique passwords stored in a manager, conditional access policies, EDR against infostealers, and monitoring of leaked-credential feeds like Have I Been Pwned.
● Examples
- 01
A phishing site mimicking Microsoft 365 sign-in to capture password and TOTP code.
- 02
RedLine infostealer exfiltrating saved browser credentials and session cookies to a C2 panel.
● Frequently asked questions
What is Credential Harvesting?
The collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale. It belongs to the Identity & Access category of cybersecurity.
What does Credential Harvesting mean?
The collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale.
How does Credential Harvesting work?
Credential harvesting is the systematic capture of authentication data — passwords, session tokens, MFA codes, API keys — through phishing pages, malicious browser extensions, infostealer malware, or breaches of poorly protected databases. The stolen credentials are then validated by credential-stuffing scripts, used in account takeover, sold on criminal markets, or leveraged for follow-on intrusions like business email compromise. Modern infostealers such as Lumma or RedLine harvest browser-stored credentials, cookies, crypto wallets, and authenticator seeds in seconds. Defences include phishing-resistant MFA (FIDO2, passkeys), unique passwords stored in a manager, conditional access policies, EDR against infostealers, and monitoring of leaked-credential feeds like Have I Been Pwned.
How do you defend against Credential Harvesting?
Defences for Credential Harvesting typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Credential Harvesting?
Common alternative names include: Credential theft, Password harvesting.
● Related terms
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- attacks№ 010
Account Takeover (ATO)
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.
- identity-access№ 793
Passkey
A phishing-resistant FIDO2/WebAuthn credential — a device-bound or syncable asymmetric key pair that replaces passwords with a cryptographic challenge-response.
● See also
- № 894Quishing (QR Code Phishing)
- № 431Formjacking
- № 1229Web Skimmer / E-Skimming
- № 799Password Reuse