The short version: I’m loading over 1 billion breached accounts into HIBP. These are from 2 different “combo lists”, collections of email addresses and passwords from all sorts of different locations. I’ve verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you’re in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords.
here’s a huge amount of hacked data floating around the web. Of course, you know that by now if you’ve been reading here or watching what I’ve been doing with Have I been pwned (HIBP) and up until writing this blog post, there were 2.7 billion examples of that on the site. There’s a lot more there now, but we’ll get back to that in a moment.
So there’s a lot of stuff getting hacked and a lot of credentials floating around the place, but then what? I mean what do evil-minded people do with all those email addresses and passwords? Among other things, they attempt to break into accounts on totally unrelated websites. Here’s a great example: someone grabs the 164 million record LinkedIn data dump that turned up last year and cracks the hashes. They’re SHA1 without a salt so the protection on the passwords is pretty useless. In no time at all you’ve got tens of millions of email address and plain text password pairs. And this is where the real problems begin.
As fallible humans, we reuse passwords. We’ve all done it at one time or another and whilst I hope that by virtue of you being here reading security stuff you’ve got yourself a good password manager, we’ve all got skeletons in our closets (more on mine soon). Most people are just out there YOLO’ing away with the same password or three across all their things. We know that because again, we’ve all done it and hackers know that because that’s their job! As such, they’re going to try and break into as many other accounts as they can using the credentials from a data breach. Which brings us to credential stuffing:
Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
This is a serious threat for a number of reasons:
- It’s enormously effective due to the password reuse problem
- It’s hard for organisations to defend against because a successful “attack” is someone logging on with legitimate credentials
- It’s very easily automatable; you simply need software which will reproduce the logon process against a target website
- There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing
That last point is the impetus for this post because because we have situations like this:
There’s a few things going on here and it’s just one example of what I want to illustrate in this post. Let’s start with a translation courtesy of a helpful Twitter follower:
This is the “Anti Public” tool and it’s used for verifying the legitimacy of hacked credentials. I got some support from Twitter followers who explained the process as follows:
So imagine this for a moment if you’re responsible for running a site similar to this: you get a sudden influx of login requests that match the precise pattern of a legitimate request because they’ve literally been cloned from one. Valid user agents, valid referrers, a whole range of IP addresses and bunch of them actually have legit credentials too because of the reuse problem. There are countermeasures, but you can see the challenge in defending against an attack like this and you can imagine the success rates available to those mounting them.