Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Managing passwords has become overwhelming. Nearly every online service requires a login, and research shows that the average person has over 170 passwords to keep track of. Given this sheer volume, it’s no surprise that people reuse passwords or choose weak, easy-to-remember ones.

Unfortunately, cybercriminals are well aware of these habits and can automatically test stolen credentials across multiple platforms.

A single exposed credential can trigger a chain reaction of security vulnerabilities. One employee with poor password practices can open the door for hackers to infiltrate your network and gain elevated access.

And that’s not just a hypothetical scenario. Verizon’s 2024 Data Breach Investigation Report found that stolen credentials played a role in nearly one-third (31%) of data breaches, largely thanks to how predictable and often reused passwords are. 

How Hackers Exploit Reused Passwords

One of the first things cybercriminals do when they get their hands on a stolen password is try to use it across multiple accounts – a technique known as credential stuffing.

Hackers are well aware that people frequently reuse passwords and that slight modifications – like adding a number or symbol – are easy to predict. With automated tools, they can test thousands of stolen credentials in seconds, significantly boosting their chances of success. Just one exposed password from a single employee can put an entire organization at risk

Once they gain access to an account, they can:

• Sell it on the dark web – Stolen credentials are valuable commodities, often sold in bulk to other cybercriminals who use them for further attacks.
• Use it for identity theft – Cybercriminals can exploit compromised credentials to impersonate individuals, gain access to sensitive data, or execute financial fraud.
• Launch further attacks – If an attacker compromises a work email, they can use it to send phishing emails, reset passwords for more sensitive accounts, or move laterally within an organization.

Most Organizations Don’t Address the Risks of Reused Passwords

Last year, 10 billion compromised credentials were exposed on a hacking forum in a leak dubbed “RockYou2024.” This leak alone potentially exposed hundreds, if not thousands of organizations to credential stuffing attacks, account takeovers, and unauthorized access to systems.

But despite the risks they pose, most organizations have little to no control over how employees use passwords across different platforms. Employees often reuse passwords across work and personal accounts, making it easier for attackers to exploit compromised credentials from third-party breaches.

Even organizations with password policies struggle with enforcement. Employees may bypass complexity requirements by using predictable variations of old passwords, and IT teams rarely have visibility into whether passwords are being reused elsewhere. 

While endpoint protection and login monitoring can detect some suspicious activity, these measures are largely reactive and do little to prevent credential reuse in the first place.

Steps to Stop Reusing Passwords and Secure Your Accounts

Employees are not to blame for always using the same, or variations of the same password. There are simply too many accounts to manage, and without the right tools and policies, password reuse is almost inevitable. 

Here are some steps every organizations should take to minimize password reuse and protect accounts from credential stuffing:

1. Use a password manager

Employees shouldn’t have to remember complex passwords. A password manager can help them by generating and storing unique, strong passwords for every account.

2. Enable Multi-Factor Authentication (MFA)

MFA ensures that even if credentials get breached, a hacker can’t get in without another form of authentication. You can use an authentication app, like Google Authenticator, which generates time-based one-time passwords (TOTP) that expire after a short period. It’s important to tightly enforce MFA as a requirement, and remind employees who have yet to enable it.

3. Regularly check for compromised identity data

Despite strong internal measures, breaches can still occur. That’s why organizations need proactive monitoring to detect compromised credentials before attackers can use them.

Solutions like Twilight Cyber’s dark web monitoring scan for leaked employee credentials in real time, alerting security teams when stolen passwords appear in breaches. This allows organizations to reset compromised passwords and prevent unauthorized access before it happens.

How Twilight Cyber Protects You from Credential Leaks

Cybercriminals only need one exposed employee credential to capitalize on a reused password and infiltrate an organization. 

Without real-time detection, these stolen credentials can circulate on the dark web for weeks or months before security teams even realize they’ve been compromised.

Twilight Cyber proudly provides real-time credential monitoring and Account Takeover prevention to alert you as soon as your credentials appear in a data breach, dark web marketplace, or underground forum. 

We have unparalleled access to dark web intelligence and cybercriminal networks, allowing us to detect compromised credentials within minutes – far faster than traditional security solutions.

Want to test the power of our platform?

Scan your organization’s domain for free:

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox