Canary User Accounts

Heya,

A canary account is an account where you put fake data in your system. If that fake data is ever used or accessed, you know that system has been compromised in some way. Then you can take steps to try to do forensics on the system, remediate the access, and/or let users and regulators know.

For example, you might add an API key but never use it. If that API key is ever part of a request, it has somehow been leaked. Similarly, you could create an AWS access key/secret key pair, then monitor for usage. If it ever was used, someone had illicit access to the AWS account.

In the same vein, with a CIAM system, you can create a user account that will never be used by a legitimate person. Set up a system to check to see if that user account is ever logged into. If this ever happens, something bad has happened. Either the database has been breached and someone has cracked the password, a credential stuffing attack succeeded, an insider has reset the user’s password and logged in as that user, or something else that shouldn’t have occurred did.

If this particular user has been breached then it is very possible other legitimate user accounts have been breached as well.

Canary accounts aren’t a complete solution.