Credential Harvesting
The systematic collection of usernames, passwords, and authentication data through phishing, fake login pages, malware, or data breaches for later use in account takeovers.
Also known as: password harvesting, credential theft, login data collection
Last reviewed: 1 June 2026
Credential harvesting is the process of acquiring login credentials at scale, typically as a precursor to account takeover attacks, fraud, or resale on criminal markets. Attackers use multiple collection methods: phishing emails directing users to convincing cloned login pages; keystroke-logging malware that captures credentials as they are typed; infostealer software that extracts saved passwords from browsers and password managers; and purchasing compiled credential databases from data breaches.
Harvested credentials are validated using automated tools that test them against multiple services at once (credential stuffing), since many people reuse passwords. Credentials with high value — banking logins, email accounts (which enable password resets on other services), or corporate VPN accounts — command premium prices on dark-web markets.
For individuals, the primary defence is password uniqueness: using a different password for every account means a breach at one site cannot compromise others. Password managers facilitate this approach. For organisations, monitoring for employee credentials in breach databases and implementing phishing-resistant authentication (passkeys, hardware tokens) significantly reduces risk.
Examples
- A phishing kit replicates a popular email provider login page; when users enter credentials, they are logged silently and the user is redirected to the real site.
- An infostealer distributed as a game crack extracts all saved browser passwords from the victim's device and uploads them to a criminal forum.