Hackers increasingly rely on legitimate user accounts over malware to break into some of the biggest companies.

Why it matters: Finding someone's password or authentic browser session tokens is pretty easy on the dark web thanks to a growing dark-net market where hackers buy and sell information stolen from years of data breaches.

• Hackers using stolen user accounts to exfiltrate data from a company's network can more easily disguise their activities — averting detection from traditional cyber monitoring tools.

Driving the news: CrowdStrike and IBM both released reports late last month detailing how malicious hackers are relying more on passwords in their schemes.

• IBM's incident response team saw a 71% increase in the number of attacks relying on valid login credentials in 2023 compared with 2022.
• The total number of advertisements from access brokers — who sell passwords, session tokens and other ways to break into a company — jumped nearly 20% in 2023 from the year before, CrowdStrike's report found.

What they're saying: "To see a 70-percent swing, that's an industry wake-up call," Charles Henderson, global head of IBM's X-Force threat intelligence team, told Axios.

• "We've been saying for 20 years that, 'Hey, passwords are bad, we should be using multifactor authentication,' and you're seeing that come home to roost," he added.

The big picture: Stolen account sessions and legitimate passwords were the root cause of several high-profile attacks in 2023.

• In November, hackers broke into Microsoft's networks via a password-spraying attack. They eventually gained access to top executives' inboxes.
• Hackers used a similar technique to breach genetic testing company 23andMe in the fall and steal 6.9 million people's personal data.
• Identity management companies like Okta and LastPass have become prime targets for hackers in recent years too.

Zoom in: Both government hacking teams and financially motivated cybercriminals are turning to login credentials and session tokens.

• IBM noted that the LockBit ransomware gang has attempted to purchase source code for a popular infostealer — a type of malware that hackers use to steal login credentials and session tokens.
• CrowdStrike found in its report that Russian military hackers had developed their own tools to mine login credentials from Yahoo Mail and other email providers.
• Russian intelligence hackers also conducted a phishing campaign to collect multifactor authentication tokens from Microsoft 365 accounts, CrowdStrike noted.

The intrigue: The heightened reliance on login credentials has also prompted a wave of cloud intrusions, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told Axios.

• CrowdStrike saw a 75% increase in the number of cloud intrusions in 2023.
• "A threat actor simply has to compromise the identity of a legitimate user and then move into the cloud environment," Meyers said.
• From there, hackers can deploy malware or other tools directly from the cloud interface, he said, and the intruders look like legitimate users while doing so.

The bottom line: Implementing a zero-trust security framework inside a company can help to ensure hackers don't have access to privileged information once they break in, the reports advise.

• Employees should also be mindful of how frequently they're reusing passwords across accounts.