The case that circulated on social media about the SNS Portal is not, at its core, a story about infrastructure failure. A doctor's credentials were compromised and used to access patient records at scale.
The system behaved as expected, authenticating an apparently legitimate identity. The vulnerability was in the detection of improper access and in post-authentication behavioural control.
This pattern repeats itself in regulated sectors, SMEs with dozens of employees, and organisations with non-existent offboarding processes. For those providing cybersecurity services, the SNS incident is an example worth pointing to — and learning from.
##When Legitimate Access Is the Attack
The distinction that matters here is both technical and commercially relevant: there was no exploitation of a vulnerability in the system. The attacker authenticated with real credentials, obtained a valid session token, and navigated as if they were the healthcare professional.
From the point of view of access logs, the behaviour was apparently legitimate. This is why traditional controls fail in this scenario. A perimeter firewall does not filter an authenticated session. A signature-based IDS (intrusion detection system) does not detect navigation within the access boundaries of a legitimate user. And a SIEM without behavioural context will struggle to distinguish the real user from an attacker.
What would make this attack detectable earlier is precisely what is missing in most of the organisations we study: knowing, before use, that credentials are exposed. The window between exposure and exploitation is typically weeks or months (and tends to shorten with mass exploitation and AI). It is that window that credential monitoring seeks to close.
##The Life Cycle of a Compromised Credential
The most prevalent credential theft mechanisms today are not sophisticated in the classical sense. Infostealers are distributed through low-cost phishing campaigns or compromised software downloads; they extract session cookies, passwords stored in the browser, and authentication tokens, and send everything to command panels in seconds.
The healthcare professional may have downloaded compromised software to manipulate a PDF, or clicked on a phishing link — they may not even have realised it happened. These are examples of possible compromise vectors. The concrete data on what actually happened has not yet been publicly confirmed.
From there, credentials follow a predictable path: they are consolidated into infostealer logs, sold on dark web marketplaces, and eventually purchased by an attacker. The average time between extraction and use reported in incidents documented by CNCS and the Verizon DBIR is frequently above 200 days.
During those days, the organisation does not know the credentials are exposed. The employee does not know. And the service provider managing security does not know either — unless they have visibility over these sources.
##What Continuous Monitoring Changes for the IT Service Provider
IDWatch, CyberInspect's identity monitoring offering, covers this gap. The logic is simple in its formulation, but requires systematic access to sources most organisations cannot monitor on their own: compromised data repositories, Telegram channels trading credentials, infostealer logs, dumps of exposed databases, and specialised forums.
For a service provider managing dozens of clients, the value proposition is direct. Instead of waiting for an incident to occur and then analysing how it happened, they gain early visibility over compromised accounts, can notify the client before use, and can trigger credential rotations, active session reviews, and endpoint investigations proactively. This shifts the security posture from reactive to preventive.
Commercially, credential monitoring is a recurring service with low delivery cost per additional client and high perceived value. The client cannot do this on their own without disproportionate investment. The service provider, with a platform such as CyberInspect, can scale to multiple clients with reduced effort.
##The Offboarding Problem
The SNS case raises another question: the compromised credentials allegedly belonged to a doctor who no longer had duties at the healthcare unit. The account remained active and the access available. This problem is structural and affects any organisation with employee turnover and no automated offboarding process.
SMEs with dozens of SaaS tools, supplier portals, remote access systems, and collaborative platforms accumulate orphan accounts, which are rarely identified before becoming a compromise vector.
Credential monitoring does not replace a well-structured identity lifecycle management process, but it works as a safety net: when an account that should be inactive appears in compromised data, the signal reaches the user before the attacker uses it.
Opinion piece by Rui Borges — Tech Lead at CyberInspect. Originally published on Business IT.