Hackers use login data from password leaks for credential stuffing and identity theft attacks. ( (C) Aphos GmbH / Firewalls24)
Since the publication of the “Synthient Credential Stuffing Threat Data” dataset, Aphos Gesellschaft f?r IT-Sicherheit has increasingly been supporting customer organizations that are confronted with security-relevant incidents. In addition to credential stuffing attacks, the experts at Aphos are increasingly observing phishing campaigns in which compromised email accounts from customer organizations, such as those of their partners or suppliers, are misused.
Important: Aphos Gesellschaft f?r IT-Sicherheit is not itself affected. The security incidents observed concern organizations that are supported by Aphos and their business partners.
Identity misuse on two levels
According to the _Have I Been Pwned_ platform, the Synthient dataset made public at the beginning of November 2025 contains around 1.96 billion email addresses and over 1.3 billion passwords – many of which are still active. Attackers use this data not only for automated login attempts, but also for targeted attacks via compromised email accounts from legitimate organizations.
A typical pattern: a previously compromised email account of a business partner is used to distribute deceptively genuine phishing emails. These can contain fake payment requests, login links or manipulated documents. As the sender address actually belongs to the partner company, such messages are often not blocked by traditional security mechanisms and are barely recognizable as an attack for recipients.
Aphos Incident Response: Protection through experience and speed
The incident response team at Aphos GmbH is currently regularly involved in operations in which precisely such scenarios become reality. In several of the cases we have handled, attackers have been able to either gain direct access to networks or exploit internal relationships of trust via compromised email accounts from the affected customer organizations.
“We are increasingly seeing hybrid attack scenarios in which stolen access data and legitimate communication channels work together,” explains Jan Spreier, incident response expert at Aphos. “The time from initial access to propagation in the network is getting shorter and shorter – what counts is an immediate response.”
Aphos’ Incident Response Service provides organizations with rapid support for containment, analysis and recovery following security incidents. Through close coordination with IT teams, structured forensics and pragmatic recommendations for action, damage can be limited and attack surfaces permanently reduced.
Technical protection measures with Sophos
In addition to organizational resilience, powerful technical protection mechanisms are crucial. As a fully technically accredited Platinum Partner and operator of the Sophos store Firewalls24.de, Aphos Gesellschaft f?r IT-Sicherheit relies specifically on the Sophos security platform.
* Sophos Email Security & Sophos DMARC Manager: With the cloud-based protection for incoming and outgoing emails, phishing attacks and spoofing attempts can be reliably detected and blocked. Sophos DMARC Manager also helps to protect your own domain from misuse by attackers – an important building block against attacks via compromised partner accounts.
* Sophos XDR (Extended Detection & Response): For organizations with their own IT security department, Sophos XDR provides extended detection and response capabilities across endpoints, servers, email, identities and more. The solution aggregates data from the entire environment in a central data lake and enables in-depth analysis of potential security incidents.
* Sophos MDR (Managed Detection & Response): Those who cannot or do not want to operate their own 24/7 security department benefit from the MDR service. A dedicated team of experts takes over continuous monitoring, threat analysis and incident response – around the clock, with short response times.
* ITDR extension (Identity Threat Detection & Response): The ITDR module is also available for both solutions – XDR as well as MDR. It enables the targeted monitoring of authentication processes, privileged accounts and suspicious login activities in order to detect identity misuse in an even more targeted manner.
With these solutions, a multi-layered defense strategy can be established that comprehensively addresses both technical attacks and the misuse of legitimate access data.
Recommendations for action from the Aphos Society
In view of the current threat situation, Aphos recommends the following steps:
* Immediately check affected mail addresses via HaveIBeenPwned.com and replace compromised passwords.
* Set up strong multi-factor authentication (MFA) for internal and external access.
* Monitoring for unusual login attempts, especially from cloud or VPN systems.
* Awareness training for employees to better recognize and report phishing attempts.
* Communication with partner companies if there are indications of compromised accounts.
Aphos Gesellschaft f?r IT-Sicherheit mbH
Mergenthalerallee 73-75
Eschborn 65760
Germany
Herr Lennart Wyrwa
061965820160
Aphos Gesellschaft f?r IT-Sicherheit mbH is a specialized IT security provider with a focus on tailor-made cybersecurity solutions for companies, authorities and public institutions. As a technically fully accredited Sophos Platinum Partner, the company offers first-class consulting, comprehensive support and a broad portfolio of IT security solutions.
With Firewalls24.de, the store for IT security solutions from Sophos, Aphos GmbH enables fast and uncomplicated procurement of Sophos firewalls, switches, access points and Sophos Central licenses.
The combination of technical expertise, personal advice and great prices makes Aphos the ideal partner for companies of all sizes that rely on the highest security standards.
This release was published on openPR.
