For infosec pros, news that a security researcher has discovered a massive cache of usernames and passwords – over 1.6 billion unique combinations — is both stunning and old news.
Old news in that it’s no secret that criminals and nation-state hackers have been assembling lists of stolen credentials for years. This might be one series of files that merely combines them all into one.
Stunning in that it’s a single resource that someone or some group has been using to aid their work, particularly credential stuffing attacks. This involves automated attempts at logging into a site using a long list of stolen credentials. Attackers could also cross-reference the credentials with other stolen or public information to leverage the credentials for phishing and blackmail.
According to a blog by Troy Hunt, who revealed the existence of the folder dubbed “Collection #1,” it’s made up of many different individual data breaches from thousands of different sources. It’s not a file of a recent breach: He thinks the most recent dates back to 2015 — which, of course, could still be serious if the victims haven’t changed their passwords in three years.
“Whilst there are many legitimate breaches that I recognize in that list, that’s the extent of my verification efforts and it’s entirely possible that some of them refer to services that haven’t actually been involved in a data breach at all,” he writes.
Separating the junk/repetitions in the file, Hunt figures there are over 21,222,000 unique passwords in the file and 772,904,991 unique email addresses.
One of Hunt’s contacts pointed him to a popular hacking forum where the data was being “socialized.” One folder, named “Collection #1,” had over 12,000 separate files and more than 87GB of data.
The collection has been removed from the site where Hunt found it, but that doesn’t mean there aren’t copies.
“If interesting from an analytics perspective, because there’s all kinds of analysis you could do about how people use passwords over time. But it’s likely not anything we didn’t already know was already lost,” said Forrester Research analyst Josh Zelonis. But, he added, “it serves as a fantastic example of how much data we’ve lost to the underground.”
If you’re not worried think about this: Security reporter Brian Krebbs says he found the person pedaling this cache — or at least a copy of it — whose website lists five other “Collections” for sale — one of which is 526 GB (or about six times as big as Collection #1.
This person asking US$45 for Collection #1. He also told Krebs he has fresher data for sale.
A security company official told Krebs that 99 per cent of the data in Collection #1 has already been seen. “It was popularized several years ago by Russian hackers on various Dark Web forums,” he told Krebs. “Because the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.”
Experts say Hunt’s revelation is another example of why organizations have to take more care with protecting the credentials of employees and customers they store, as well as toughen identity and access management.
This aggregation of compromised emails and passwords is a great reminder to CISOs to do a few things, said David Senf, a cyber security consultant and founder of Toronto-based Cyverity:
- First and foremost, make sure two-factor authentication is used wherever it can be. Pretty much every cloud service provides the option. For larger organizations, their employees and customers likely have a multitude of services they will need to sign into. In that case, use solutions such as Okta, Duo (owned by Cisco) or Centrify to provide 2FA across services in a single sign-on scenario.
- Next, get an enterprise license to LastPass or other password management tool. Most of them can automatically change passwords after a given amount of time.
- Assume that some users’ email accounts at your organization have been compromised. If you run your own email server, and you keep logs, you could verify the location of authentication via the IP address. You could also use Troy’s Have I Been Pwned? online service to check against his database of compromised email addresses and passwords. Depending on the number of addresses, you may want to write a batch script as it’s single entry lookup.
- If users have been compromised and attackers have been reading their emails, you’ll need to assess next steps based on the sensitivity and staleness of exposed company secrets.
- Ensure these same credentials haven’t been used to enter other company systems.
Cyber attackers long ago discovered that the easiest way to gain access to sensitive data is by compromising an end user’s identity and credentials, said Andy Smith, VP of product marketing at Centrify. He noted a Forrester Research study found that 80 per cent of data breaches involve the use of privileged account access. Companies should adopt what has been called a Zero Trust strategy, which simply states no one is to be trusted on the corporate network. Multi-factor authentication and behavioural analytics are some of the techniques used.
“Zero Trust Privilege helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environmen,” he said.
Russell Haworth, CEO of Nominet, a U.K. security specialist, said in an email that whenever these massive breaches occur, it’s important to acknowledge that there’s rarely an easy solution–even the most reliable defenses can occasionally be penetrated. “The goal is not simply to block attacks with an isolated set of tools but instead to accelerate response times, offer intelligence for post-breach forensics, and cut costs. That can be best achieved with a comprehensive threat monitoring and detection, prevention and analytics strategy and implementation that can analyze billions of data packets in real time to pinpoint malicious activity instantly and take remedial measures.”
“Judging from the sheer volume of data we’re looking at here, it’s clear that multiple breaches must have occurred. What I’d like to know is if any of the organizations that were hit, or the affected users, even know that a breach took place.
There are two ways to look at this, said Felix Rosbach, product manager at comforte AG: From a personal perspective and from a business perspective. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised.
From a business perspective, the reality is that it’s just not possible to be 100 per cent secure, he added. With an ever-growing attack surface, classic network protection is not the best way forward. Sometimes you won’t even notice you’ve been breached. In the end, Rosbach said, the most important thing to do is to protect your customers’ data. With modern solutions such as format-preserving encryption or tokenization you can render personal information, including email addresses and IDs, useless to hackers.