830 Million e-mail passwords were hacked, check out if you are one of them

The short version: I’m loading over 1 billion breached accounts into HIBP. These are from 2 different “combo lists”, collections of email addresses and passwords from all sorts of different locations. I’ve verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you’re in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords.

here’s a huge amount of hacked data floating around the web. Of course, you know that by now if you’ve been reading here or watching what I’ve been doing with Have I been pwned (HIBP) and up until writing this blog post, there were 2.7 billion examples of that on the site. There’s a lot more there now, but we’ll get back to that in a moment.

So there’s a lot of stuff getting hacked and a lot of credentials floating around the place, but then what? I mean what do evil-minded people do with all those email addresses and passwords? Among other things, they attempt to break into accounts on totally unrelated websites. Here’s a great example: someone grabs the 164 million record LinkedIn data dump that turned up last year and cracks the hashes. They’re SHA1 without a salt so the protection on the passwords is pretty useless. In no time at all you’ve got tens of millions of email address and plain text password pairs. And this is where the real problems begin.

Account Hitman

As fallible humans, we reuse passwords. We’ve all done it at one time or another and whilst I hope that by virtue of you being here reading security stuff you’ve got yourself a good password manager, we’ve all got skeletons in our closets (more on mine soon). Most people are just out there YOLO’ing away with the same password or three across all their things. We know that because again, we’ve all done it and hackers know that because that’s their job! As such, they’re going to try and break into as many other accounts as they can using the credentials from a data breach. Which brings us to credential stuffing:

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

This is a serious threat for a number of reasons:

  1. It’s enormously effective due to the password reuse problem
  2. It’s hard for organisations to defend against because a successful “attack” is someone logging on with legitimate credentials
  3. It’s very easily automatable; you simply need software which will reproduce the logon process against a target website
  4. There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing

That last point is the impetus for this post because because we have situations like this:

Anti Public listing

There’s a few things going on here and it’s just one example of what I want to illustrate in this post. Let’s start with a translation courtesy of a helpful Twitter follower:

Anti Public translation

This is the “Anti Public” tool and it’s used for verifying the legitimacy of hacked credentials. I got some support from Twitter followers who explained the process as follows:

So imagine this for a moment if you’re responsible for running a site similar to this: you get a sudden influx of login requests that match the precise pattern of a legitimate request because they’ve literally been cloned from one. Valid user agents, valid referrers, a whole range of IP addresses and bunch of them actually have legit credentials too because of the reuse problem. There are countermeasures, but you can see the challenge in defending against an attack like this and you can imagine the success rates available to those mounting them.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Advertisements
nicolesundays

humor. storytelling. general stupidity.

unbolt me

the literary asylum

Becky's blog. Just a Zimbo in Masvingo, Zimbabwe, Africa

"An eye for an eye will only make the whole world blind" - Mohandas Gandhi. Then so be it.

Neurodivergent Rebel

Rebelling against a culture that values assimilation over individuality.

UNLIMBITED TREE SERVICE, INC.

Unlimbited Tree Service was started with one goal in mind: To enhance the beauty and value of residential and commercial properties while ensuring the safety of their occupants. With Unlimbited, you know that you're getting the very best.

chicblanc

Fashion blog by Parisa

Beaches RVs

Beaches RVs offers a range of quality Campervans, Caravans etc.

Texas Native Threads

Uniquely Texas, Simply you.

Histoires de photos

Photographe spécialisé argentique Nord

sanseilife

Food . Culture . Community . Japanese . Sansei

Mission: Loved

Prayer, Worship and Missions ministry of Dylan Raines

Janine Nissa

Fashion - Travel - Lifestyle

SKYLARITY

Mindfulness, Spontaneity and Authenticity

Salt of Portugal

all that is glorious about Portugal

Paris1972-Versailles2003

Travel and my anecdotes

This Veggie Life

A Vegetarian | Nature Blog

Gardening 4 Gains

Sowing the seeds of today's dreams so tomorrow they are harvested as realities

MovieBabble

The Casual Way to Discuss Movies

Game Cosmos Press

Reports from the video gaming worlds with vivid photographs and TLDR's

%d bloggers like this: