Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Imagine changing a compromised password and assuming your systems are safe again, only to find attackers can still walk right in. A newly revealed Microsoft Remote Desktop Protocol (RDP) flaw has upended this fundamental security assumption. 

Researchers discovered that Windows RDP may accept outdated, revoked passwords for remote access under certain conditions. In effect, even after a user resets their password, an attacker with the old credentials could still gain entry via RDP. This vulnerability highlights a critical reality for CISOs and IT leaders: password hygiene alone is not sufficient to secure your enterprise.

The RDP Credential Caching Flaw Explained

When a user first logs into a Windows machine via RDP using a Microsoft or Entra ID account, Windows stores a secured copy of the credentials locally after verifying them with the authentication server. This cached credential is intended as a fallback, allowing access if the machine disconnects from the domain controller or identity provider, so that at least one user can still log in using previously validated credentials.

The problem lies in the fact that Windows doesn’t automatically invalidate or refresh cached credentials. On subsequent RDP login attempts, Windows may check the entered password against the cached credentials first. If it finds a match, it grants access even if that password has since been changed or revoked in Active Directory or Microsoft Entra ID. In effect, RDP may allow users to log in with outdated credentials, using yesterday’s password to access today’s system.

Even more concerning, researchers found that Windows might accept not just the last cached password, but several older ones – while simultaneously rejecting the most current, valid password.

This unpredictable behavior means that if an account’s credentials are ever leaked, multiple outdated passwords could still grant remote access – significantly extending the window of vulnerability.

Microsoft’s “Feature, Not a Bug” Response

What comes as a surprise for many in the security community is that Microsoft refuses to acknowledge this as a vulnerability. On the contrary, the company describes it as “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline”

In Microsoft’s view, caching a credential for offline login is a feature that prevents admins from locking themselves out of machines in remote scenarios. For a more in-depth understanding, you can refer to Microsoft’s documentation on Credentials Processes in Windows Authentication.

The rationale is understandable from an availability standpoint, but it does cause concern on the security front, forcing administrators to rethink their approach to remote access controls and credential management.

The Workaround: Manually Remove Cached Credentials

Administrators should develop a procedure to manually remove old cached credentials on Windows machines whenever a password is changed or an account is disabled. This can be done using the Windows Credential Manager or command-line tools to delete stored credentials. 

Removing the cached password ensures the next login will require the new credentials. Keep in mind this has to be done on each machine where the user logged in via RDP. Group Policy can also be configured to reduce or disable credential caching in some cases.

Enterprise Security Implications

Organizations must take the implications of this RDP credential caching behavior seriously. If an attacker steals or otherwise obtains an employee’s password (through phishing, infostealer malware, or a dark web leak), they could maintain persistent access to that user’s machine via RDP even after the password is changed.

From an attacker’s perspective, this is a golden opportunity: so long as the target machine has the old credential cached, the door remains unlocked. As one researcher put it, “it creates a silent, remote backdoor into any system where the password was ever cached”. 

Equally alarming, this access can fly under the radar. Because the login is authenticated locally (using the cached verifier) instead of through the live Azure AD or domain controller, it bypasses many security controls and logs. An incident that should have been contained (by cutting off the old credential) can persist or reoccur. 

This undermines incident response playbooks. The step “disable or change the password” would no longer fully remove the adversary’s access. An attacker might quietly maintain RDP access to a critical server or workstation for weeks or months, defeating your password policies and risking data.

All of this has led some experts to call for rethinking the use of RDP in its current form. Allowing broad RDP access was high-risk to begin with, and this design quirk makes it even harder to justify without strong compensating controls.

Password Hygiene Isn’t Enough

The Microsoft RDP flaw is a stark reminder that even flawless password policies (enforcing complexity, rotation, and reuse prevention) can’t guarantee protection. Passwords remain a single point of failure, and compromised credentials continue to be a leading cause of breaches. 

Attackers have become highly adept at stealing and misusing credentials at scale, often exploiting them long before detection. Relying solely on password hygiene is no longer a viable strategy.

Sometimes it’s necessary to proactively purge stored passwords from the Windows Credentials Manager. But without explicit automation, doing this across all systems isn’t practical. To act decisively, you need to know which passwords have been exposed and confirm they’ve been fully removed. That’s where Twilight Cyber comes in – providing verified exposure detection and actionable intelligence to help you clean up credentials with confidence.

One of the most effective approaches is monitoring the dark web for exposed credentials. 

Protect Your Credentials With Twilight Cyber

Twilight Cyber specializes in account takeover prevention by combining industry-leading identity threat protection with real-time detection. Its Identity Shield platform continuously scans underground marketplaces, breach dumps, and remote, hard-to-access corners of the dark web – sources that are typically beyond the reach of conventional tools. This unmatched visibility allows Twilight Cyber to alert security teams the moment corporate credentials surface, giving them a critical head start against attackers.

This early warning system allows teams to act immediately before attackers exploit the weakness. Twilight Cyber also integrates with existing SOC workflows, automating the response to minimize risk. 

In a world where password flaws like RDP caching exist by design, solutions like Twilight Cyber are essential in securing your organization’s identity perimeter.

Ready to learn more? Contact us now, or get started with a FREE scan:

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox