PT0-002 Question #361: Real Exam Question with Answer & Explanation

Question

A penetration tester discovers passwords in a publicly available data breach during the reconnaissance phase of the penetration test. Which of the following is the best action for the tester to take?

Options

• AAdd the passwords to an appendix in the penetration test report.
• BDo nothing. Using passwords from breached data is unethical.
• CContact the client and inform them of the breach.
• DUse the passwords in a credential stuffing attack when the external penetration test begins.

Explanation

The best action for a penetration tester discovering client passwords in a public data breach is to immediately contact the client and inform them of the compromised credentials.

Common mistakes.

• A. Adding the passwords to a report appendix is insufficient; immediate action is required due to the high risk of publicly available compromised credentials.
• B. Doing nothing would be a dereliction of professional duty, as the information represents an active and critical risk to the client.
• D. While using these passwords for credential stuffing might be a valid next step if approved and in scope, the best first action is to inform the client of the compromise itself, allowing them to remediate proactively.

Concept tested. Ethical conduct in penetration testing

No community discussion yet for this question.