Credentials! Get yer Stolen Login Credentials! Billion for a Pound!

Penetration Testing Experts


Actually that headline is a little misleading

In fact, the initial offer was 917 million records for 50 Russian Roubles, which is about 52 UK Pence / 75 US Cents. But, as highly ethical researchers at Hold Security have a policy to never contribute financially to a hacker’s cause, simply providing the hacker with a few social media “likes” and “upvotes” (for which he was happy to give up his anonymity) was enough to secure the whole trove for free. Not only that, but when it emerged mere days later that the same hacker was now looking to flog 1.17 billion records, they convinced him to hand over the rest too.

A game of numbers

We can enjoy sensationalising figures like these, but usually when you ask a few “simple” (to ask, not so simple to answer) questions, you get down to the less sensational truth.

For example, in the case of the original 917 million records:

  • Data consistency checks (i.e. confirmation that the data was actually consistent with username and password pairs) – Pass
  • Domain distribution checks (i.e. confirmation that “western domains, major email providers, and corporate domains” were present in significant proportions) – Pass
  • Duplication checks – Fail. We are told that “of 80 million credentials starting with the letter “a” only 19 million unique credential pairs are found”, it is common to see duplicates in data collated from multiple sources, since people are known to (inadvisably) reuse credentials on multiple sites, however “nearly a 75% overlap is substantial”
  • Freshness checks (i.e. are these credentials new, or is this just a bundle of previously released data that’s been reported, and hopefully changed, already) – Fail. In this case just 0.45%, less than 1 in 200, had not been seen before by the research team.

So of 917 million records, just 4 million needed “processing” by the team.

Not so scary? Think again.

Remember how just days later there were 1.17 billion credentials? The new data increased the number of unique credentials to 272 million, and 42.5 million of those the team had not seen before.

That’s an increase of 1,062%, in a figure that you could reasonably say is a gauge of how dangerous this hacker’s data is, in days.

The statistic they ignored

Something that occurs to me when discussing how they weed out non-unique data, is the relevance of that data.

You see, credentials are valuable, and dangerous, not only because they might allow criminals access to the one account that they were compromised from, but because the common practice of credential reuse means that trying those username and password pairs against other common accounts may well yield further opportunities for all manner of malicious activity.

Now if I were a cybercriminal, and I knew that of all these 1.17 billion credentials a certain set of them were already known to have been used on multiple sites, that would scream “prioritise trying these in every site you can think of”. I would think it would make them more valuable too.

Too many passwords to remember?

We are required to register in order to access all sorts of sites, in fact any given person likely has hundreds of accounts to their name, not just the big “high impact” ones like email, bank, PayPal, Facebook, etc.

And you might think that reusing a password from your ancient inactive profile on some obscure forum for some obscure hobby that you thought about taking up once for a brief moment is really no big deal. But if you use an email and password for your PayPal account, or your email account (where the password reset emails for all your other accounts would go), that could potentially be compromised somewhere else, you seriously need to think again.

Not everybody maintains the same security standards as the big players, in fact a huge number of forums out there are probably storing your passwords unencrypted. If that information gets out, it doesn’t matter how, and turns out to allow cybercriminals access to somewhere more serious, you only have yourself to blame.

The Business Case

Arguably worse than putting your own data security at risk, how do you think your employer would react if it turned out that the entry point for a massive breach that cost the company millions, even billions, could be traced back to your account – and the only defence you have is that you used the same email and password for as you did for a corporate account?

If there’s one thing we should not use economically, it’s passwords

Passwords are one of very few things with no environmental cost to having bigger, better, and more of them. But there’s certainly risks if you don’t.

2-sec is a leading provider of security consulting services. These include penetration testing, PCI DSS, Cyber Essentials, PA DSS, virtual CISO and training & awareness.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top