CompTIA PenTest+ (PT0-002) — Question 263

A penetration tester discovers passwords in a publicly available data breach during the reconnaissance phase of the penetration test. Which of the following is the best action for the tester to take?

Answer options

• A. Add the passwords to an appendix in the penetration test report.
• B. Do nothing. Using passwords from breached data is unethical.
• C. Contact the client and inform them of the breach.
• D. Use the passwords in a credential stuffing attack when the external penetration test begins.

Correct answer: C

Explanation

The correct action is to contact the client and inform them of the breach, as it is crucial to keep them aware of potential vulnerabilities. Adding the passwords to a report or doing nothing fails to address the risk posed by the breach. Using the passwords for malicious purposes like a credential stuffing attack is unethical and illegal.