All articles
Share

Credential Aggregation: How Attackers Lubricate the Social Engineering Machine

July 14, 2026
Environmental Scan
July 14, 2026
Jordan Schoenherr
Scientist
Title
SHARE
SHARE
SHARE

Identity verification was always imperfect

Vast quantities of PII have broken it; organizations need to identify new means to protect their people

The problem with the term ‘social engineering’ is that it is used as a catchall. When an attacker calls the help desk and knows your employee's manager's name, their projects, their department, and the last ticket they submitted, there is no need for deception. They have all the knowledge they need. Coupled with deepfakes that can accurately replicate someone’s voice and appearance, this represents a crisis for identity-based approaches to verification. When faced with this reality, organizations and governments need to consider whether a traditional Identity and Access Management (IAM) approach alone can survive an environment where the data it depends on is in permanent circulation.

This month, researchers discovered an exposed Elastic search cluster containing 24 billion records: usernames, email addresses, plaintext passwords, and login URLs, drawn from 36 sources including infostealer malware logs, Telegram channels, and breach compilations. 24 billion records were not developed by attackers to refine and accelerate their campaigns, but they could have been. The data set represents an aggregation of dozens of data sources maintained by a threat intelligence and breach monitoring platform. But it was exposed by a migration error.

This is the nature of a data marketplace: it is both a shield and a sword. Intentions create a line between defense and attack. Understanding what that market does is critical for adapting to the precision attacks that will result from the quantity and quality of this data.

What “Data is the New Oil” obscures

Data aggregation is a big business. People that claim that "data is the new oil" are coming close to a real insight, but the cliché obscures more than it reveals. The oil analogy implies a resource that is extracted, refined, and consumed, but ultimately depleted and nonrecoverable.

Stolen credentials do not work that way. A password used in one attack is not spent by that attack. It can be sold, compiled into a larger dataset, traded across criminal markets, and used again months or years later against the same or a different target. It can be used to infer how an individual constructs other passwords and predict what credentials are used elsewhere. The resource does not drain, it is infinitely generative. The 24 billion record cluster was still being updated in the weeks before its discovery, with breach news and vulnerability data added continuously. An aggregation like this does not age into irrelevance. It compounds.

The missing half of the analogy is that data is a lubricant. Lubricant does not power the machine, it reduces friction. Stolen credentials and personal information used in a social engineering campaign work the same way: along with OSINT, they provide the attacker with enough information to pass with imperfect organizational knowledge.

When an attacker references a real course number, deadline, or colleague's name, it feels familiar. Familiarity works as a cue to promote psychological safety and lowers the listener's guard. It signals that the caller is part of a designated group, and belonging is the goal of identity verification. The moment of uncertainty that would normally prompt a verification step doesn’t appear: nothing in the interaction feels unfamiliar. The more cues an attacker can provide, the more likely they cross the mental threshold of the defender.

This is critical for organizational defense. Providing training and behavioral nudges can help, but when the pretext is based on real data, help desk and service desk agents will default to compliance.

The Aggregation model is not new; it's just no longer legitimate

Data aggregation is decades old. Credit bureaus, data brokers, and marketing platforms have built data lakes, turning low-value data points into high-level patterns. Knowing that a Lee works for a company isn’t worth much. Knowing that the senior VP of marketing, who makes $450,000, lives at 347 Pleasant St. and is named Lee is the product the data broker is selling. This profile can be used alone to target Lee or to target people like him. AI can be used to make such predictions with very little data, achieving accuracy that exceeds that of co-workers.

Attacker credential markets operate on the same structural model. The 24 billion records discovered this month did not come from one breach. They came from 36 sources: infostealers running on infected devices, Telegram channels where logs are traded, prior breach compilations repackaged and redistributed. Each source contributes a layer. The value emerges from how and what information is pooled.

The value infostealers add is environmental context. A credential stolen from a browser by an infostealer contains the URL the credential was used on, the session cookies active at the time of infection, the device fingerprint, and often other credentials stored in the same browser profile. This is more than an account. It is a behavioral snapshot. An attacker who purchases an infostealer log is buying context and doesn’t need to build it themselves.

The help desk campaigns conducted by Scattered Spider and other threat groups are effective because the callers were informed. Persuasion doesn’t stem from general-purpose social cues of authority and urgency, it comes from factual familiarity. In a January 2026 campaign documented by Google's Threat Intelligence Group, and attributed to ShinyHunters, attackers impersonating IT staff called employees at targeted organizations, directed them to fake credential-harvesting sites, and used the captured SSO credentials and MFA codes to enroll their own devices into victims' MFA. No malware, no exploit code, just information converted into social cues and used at the right moment. OSINT, credential markets, and data purchases provide attackers with an ability to target attacks with a precision they could not otherwise achieve.

Figure 1. Each piece of personal information can appear to be unimportant. When aggregated across multiple context and platforms, it provides a critical way to profile individuals, helping attackers understand and predict individual and organizational behavior.

IAM Cannot Solve a Supply Problem

IAM assumes that identity verification is possible, that the shared secret or the registered device or the biometric is something only the legitimate user possesses. That assumption is under pressure from both ends. On the authentication side, infostealers can harvest session cookies and MFA tokens in real-time, bypassing controls at the layer beneath the authentication event. On the verification side, the volume of contextual data available to attackers means that knowledge-based challenges, manager names, employee IDs, last-four of SSN, recent account activity, do not assure verification.

Despite these concerns, MFA and IAM remain valuable investments. Organizations must acknowledge that other signals slip through the cracks. Each of these systems focuses on single dimensions of defense by design. The most effective attackers see the technical and human attack surfaces, and work over longer timescales. If we accept that identity is compromised when 24 billion or more records are in circulation and growing, the IAM threat model is no longer adequate as the primary line of organizational defense. Gartner now projects that by 2026, deepfake attacks on facial biometrics alone will lead 30% of enterprises to acknowledge that verification methods are no longer reliable on their own.

The days of context-independent authentication factors must come to an end. Defense must identify detection systems that reduce the weight of identity, and develop security procedures that hold even when identity is in doubt. To fill the gap that IAM leaves open, organizations must look to signals rooted in behavior: how people move, type, and interact, and how conversations deviate from established patterns.

Verification Without Identity

If stolen data has broken what a person knows as a proof of identity, defense has to move toward what a person does. Behavior is harder to steal than a credential because it is not stored anywhere an infostealer can reach.

Behavioral biometrics analyze how a person types, moves a mouse, holds a phone, and navigates a UI, also referred to as behavioral traces. These signals are difficult to replicate from a credential dataset because they are continuous and session-specific, not stored secrets. They are also harder to harvest via infostealer because they require active observation of a live session. The attack surface exists (adversary-in-the-browser can observe behavior), but it requires a level of targeted, real-time effort that is not currently scalable. Organizations should make use of these attacker limitations while they last.

Out-of-band, context-aware verification uses signals that cannot be derived from stolen credentials: physical location at time of request, device posture, network context, time-of-day patterns, and behavioral deviation from baseline. None of these individually is sufficient, but in combination they shift verification away from what the user knows toward how the user behaves in context. A stolen password says nothing about whether the person supplying it behaves like its owner.

The most mature technology available is User and Entity Behavior Analytics (UEBA), but it has its limitations. The core value is that it does not rely on identity claims. Instead, it evaluates whether the behavior pattern matches those established in earlier baselines. A help desk call that results in an MFA reset, a password change, and a new device registration within 20 minutes is anomalous regardless of whether the caller provided correct answers. By focusing on the procedural signature, UEBA avoids the need to verify identity claims.

Instead of verifying people, organizations should focus on procedures. Conversational AI can go beyond behavior to focus on the deeper meaning of human utterances and the broader context of social interaction. By examining deception and persuasion used in conversations and deviations from established security policies, defenders can detect an attack while it is happening rather than after the access is granted.

None of these approaches is free. Behavioral systems such as UEBA require a reliable baseline, and they can fail where baselines are most vulnerable. New hires, role changes, shifts to remote work, and high-turnover teams are all anomalies - at the time - to a system. This can lead to false positives at rates that can exhaust analysts that must act on them. Calibrating them without drowning a security team in noise is the harder problem. It requires a deep understand of people, social interactions, and organizational workflow.

What is feature engineering

In practice, feature engineering is both science and a bit of witchcraft. It often involves both iteration and experimentation to uncover hidden patterns and relationships within the data. For instance, a data scientist might transform raw sales data into features such as average purchase value, purchase frequency, or customer lifetime value, which can significantly boost the performance of a churn prediction model. By thoughtfully engineering features, practitioners can provide machine learning models with the most informative inputs, ultimately leading to better accuracy and more robust predictions.

What’s more?

  • Incorporate more and more data sources
  • Feature engineering platform

What is data engineering

As we mentioned above, feature engineering is certainly a subset of data engineering. It involves the ingestion of data from a source, applying a series of transformations, and making the final result available to be queried by a model for training purposes. You can construct feature engineering pipelines to resemble data engineering pipelines, having schedules, specific source and sink destinations, and availability for querying. However, this configuration would only really apply once you have surpassed the experimentation stage and determined a need for a consistent flow of new feature data.

What is feature engineering

Image description

1. Functions

Functionally, there is nothing to differentiate data vs features - data points (link). Where feature engineering and data engineering really differ is in the objectives and motivations for constructing the pipelines. In general, data engineering serves a broader, more unified purpose than feature engineering. Data engineering platforms are constructed to be flexible and universal, ingesting various types and sources of data into a unified storage location where any number of transformations and use cases can be applied. The intent of a well constructed fact table or gold layer in a data lake is to provide a single source of truth that answers many different questions, produces many reports, and can be consumed by many downstream customers.

2. Practise

And in practice, an organization’s data engineering team will be responsible for the curation and maintenance of all data pipelines, not just those that relate to machine learning. These pipelines may power BI dashboards used by C-Suite, auditing reports that feed payroll, or event logs that show a user’s history of actions within the application.

Feature engineering, on the other hand, serves a specific purpose, finding the tailored inputs and columns that will generate the best predictive results for a machine learning model. Data scientists and machine learning engineers are not tasked with developing a universal data model that will ingest all data points throughout an organization, they just need to select, curate, and clean the data needed to power their models.

3. Machine learning

Now, as machine learning teams grow and begin to incorporate more and more data sources into their models, their feature engineering platform may start to resemble a larger data engineering platform in the tools and methodologies they employ. But, the intent is not to establish flexible data models that can be used throughout the organization - it is simply to power their machine learning models.

Enter your contact info and we'll be in touch soon

Oops! Something went wrong while submitting the form.