Skip to main content

February 01, 2019 - John and Dunn - Naked Security.  

 

How many user credentials fell into the hands of criminals during a decade of data breaches?

Earlier this month, have I ever been hired? (HIBP) site offered a partial answer to that question by sending something called Collection # 1, a database of 773 million unique discovered email addresses circulating in a criminal forum.

Now researchers at the Hasso-Plattner Institute (HPI) in Germany have analyzed a second cache that was part of the same finding. This cache consists of four unsurprising collections named # Collections 2-5, which they think contain a total of 2.2 billion unique pairs of email addresses and passwords.

The # Collection 1 consists of 87 GB of data compiled from over 2,000 individual data breaches dating back years.

Collections # 2-5, for comparison, is said to be 845GB covering 25 billion records.

It's a dizzying amount of data, which, despite the hundreds of millions or more people it must represent, is still small enough to fit on the hard drive of a recent Windows computer.

The obvious measure of these violations is the amount of new data they represent, which has not yet been added to databases such as those gathered by HIBP or HPI.

I was pwned? We estimate Collection 1 unique data at about 140 million email addresses and at least 11 million unique passwords.

HPI, meanwhile, estimates the number of new credentials at 750 million (it is still unclear how many new passwords this includes).

 

 Reuse of the Flood

When faced with such numbers, it is tempting to shrug and move on & #8211; Most of these data breaches are old, so what harm could they be doing right now?

Initially, breached credentials are likely to be negotiated to allow attackers to access the account on the service from which they were stolen.

After that, they are quickly changed back to fuel the epidemic of credential stuffing attacks. Credentialing thrives on our habit of reusing passwords & #8211; Credentials for a service usually give criminal access to other sites as well.

Remember that while plaintext passwords are the filth of criminals, usernames and email addresses are also valuable because they give them something to point out when attempting a brute force attack.

But perhaps the real meaning is not the volume of data as much as showing how criminals are able to build databases from many smaller loopholes.

That's where all the stolen credentials go & #8211; in larger databases where they can be more easily exploited.

Why do collections # 1-5 only appear now?

Either because the data has already been exploited and is now so old that it no longer has much commercial value (Collection 1 was offered for sale to US $ 45), or because many criminals have access to it, which has effectively become a code resource. Open.

 

What to do?

You can verify your email address and password against HIPB, although the site does not appear to have submitted # Collections 2-5 yet. You can also verify your email address against HPI data.

No organization is immune to the possibility of a violation. This is why individuals need to do more to protect themselves than trust others to do it for them.

Start with simple principles:

  • Use a password manager, not only to store passwords, but to choose strong passwords first.
  • These must be unique & #8211; Use a different random password for each site.
  • When possible, enable two-factor authentication (2FA). Some authentication versions are superior to others, but any version is much better than nothing.
  • If you think you may have reused any credentials in the past, change them as soon as possible.

 

 

About [SAFEWAY]

 THE [SAFEWAY] is a widely recognized company as a provider of premium information security and cybersecurity solutions. From its extensive portfolio, we highlight several solutions, including those based on platforms:

  • Archer da RSA Security, considered by the institutes  Gartner and  Forrester and by the market itself, the most complete process integration solution for Governance, Risk Management, Compliance and Business Continuity Management;
  • [SAFEWAY]Security Tower, supported by IBM Qradar (Watson technology), tailored to each organization in its security and cyber defense management needs.
  • And others, involving technologies  Imperva,  Thales,  BeyondTrust,  ManlyWatchGuard Technologies.