Companies Must Get Their Cybersecurity In Hand, Intruders May Be Watching.

Commentary: It is often the small things - unused credentials, exposed APIs- that give attackers the opening they need. This hits on something we all know but still tend to overlook. Just because a system is “unclassified” doesn’t mean it’s harmless. And with so much tied into digital supply chains now, a third-party misstep can take down core services, like we saw with M&S. The bigger issue? Credentials are everywhere, and they’re being reused, leaked, and sold on the dark web like commodities. It is not just about strong passwords anymore, it’s about knowing what’s already out there, what’s been exposed, and making sure security teams are watching those signals in real time. Threat intel and credential monitoring can’t be afterthoughts; they are frontline defense now.

For decades, China has been attempting to weaken critical foreign infrastructure and steal intelligence. After gaining access to government workstations and unclassified documents, the United States Treasury Department case reminds organizations how even guardians of our most sensitive data can be blindsided.

In the most recent attack, a hacker had secured access to a security key, which allowed the intruder to override certain security protocols and access some Treasury Department office workstations.

The attack follows a chain of attempts to burrow into foreign IT systems. In 2023, hackers affiliated with China’s People’s Liberation Army breached about two dozen critical entities across the US and Hawaii, and more recently,  several US telecommunications firms.

Even access to environments holding only unclassified data can offer valuable insights to competitors, especially when digital supply chains are involved. It’s not always the files themselves that are valuable — it’s what they expose. Unclassified systems often reveal API endpoints and access methods, directory structures and server names, credentials left behind or misconfigured access controls, naming conventions or authentication flows, and much more.

Attackers use this not to steal the data, but to gain an initial foothold into company networks, map their infrastructure, and move laterally toward more sensitive assets. So while the content may be "unclassified," the context it exposes becomes a launchpad for deeper compromise. Organizations must therefore actively assess the exposure risk tied to their APIs and credentials before attackers do.

What Is a Digital Supply Chain?

A typical supply chain describes the flow of goods, from product design, material procurement, and production to demand forecasting, marketing, sales, and logistics. A digital supply chain is the breadcrumbs of data that actualize these plans. It integrates internal systems and data with external information and third-party vendors.

Within these chains, credentials are what allow trusted employees to bypass layered defenses and gain access to the systems they need to do their jobs. These keys are sometimes the first and last lines of defense for many of our precious secrets.

In collaboration with Flare, Verizon reports that 88% of the breaches in 2024 involved the use of stolen credentials, which in many cases started a larger attack chain.

Unauthorized access to usernames and passwords enables malicious actors to enter systems and obtain key data with the least amount of effort expended. Consequently, weak credentials enable threat actors to compromise a variety of different victims at scale.

The Risks of Weak API Security

Tariffs, trade wars, and a global pandemic have thrust supply chains into the center of public and corporate discourse. In April 2025, UK retail giant Marks & Spencer (M&S) experienced a significant cyber incident that disrupted key customer services. Online clothing orders and gift card transactions were brought to a halt. What was first assumed to be a technical glitch was ultimately traced back to a third-party vendor breach, highlighting the growing risks tied to supply chain compromises.

Supply chain risk and data visibility are now headline topics across mainstream media and boardrooms alike. Security teams must rethink what “threat” means in an API-centric economy, and stop underestimating infostealer malware, misconfigured pipelines, and static token scopes.

APIs are the set of protocols, tools, and definitions that allow different software applications to communicate with each other. They are protected by authentication methods such as:

Default scopes signal that consent should be prompted for all APIs in the list. However, it only triggers a consent prompt if consent wasn't already granted. If consent exists, the returned token grants the signed-in user access to the listed permissions. Hackers who steal these tokens can gain access to emails, files, or calendars without triggering any new warnings or consent prompts.

Scheduled key expiry limits access—often, companies will set this to the date the contract with any given third party ends. Nevertheless, relying on this as a best practice does not protect companies from stolen keys. Keys must instantly invalidate if misused. The challenge is knowing which keys have been stolen.

Keeping Tabs on Leaked Credentials

Brute force or password-guessing techniques, where attackers attempt multiple combinations of usernames and passwords in rapid succession, work well when passwords are weak or commonly used. This is especially true now that malicious actors can rely on automation to expedite the process.

Even with strong passwords, if credentials were previously leaked, hackers will try them on numerous different accounts. This technique, credential stuffing, triumphs due to password reuse. Once attackers gain access to login credentials, the information is often posted or sold on dark web forums, where it can be used, or reused, by other cybercriminals.

Dark web marketplaces have become central hubs for trading stolen information, where usernames, passwords, and other personal data are sold or auctioned off. Buyers range from lone hackers to organized criminal groups, who use the information for activities such as account takeovers, identity theft, and financial fraud. Moreover, attackers with varying levels of skill can obtain the tools they need from these forums, lowering the barrier to entry for cybercriminals.

Organizations must ensure that passwords are always strong, blacklist commonly used or previously leaked passwords, and monitor the dark web for compromised credentials. Only with a unified defense strategy will they effectively limit unauthorized access and stay ahead of credential leakages.

There is Hope

Monitoring the dark web, infiltrating threat actor groups, and cutting off access to breached credentials and stolen identities, before they’re sold or weaponized, is more possible than ever. But only with the right tools. Arming your organization with effective Threat Intelligence capabilities isn’t optional anymore, it’s strategic defense. As the Roman General Publius (perhaps the original red-teamer) once said: "If you want peace, prepare for war."