Shane Chambers No Comments

It’s a scary time to be an internet user, with three huges troves of user data recently discovered to be exposed online; opening users up to phishing emails, spam and even credential stuffing attacks.

Cyber criminals use ‘credential stuffing’ to gain unauthorised access to websites that were never breached, using previously hacked passwords

The decade is about to close, but it seems 2019 has a few more data scares in store for us. On December 4th, security researcher Bob Diachenko discovered an unsecured database containing 2.7 billion email addresses, with accompanying passwords in plain-text for more than 1 billion of them.

Diachenko notified the hosting provider of the database, and access was disabled a few days later, however cyber criminals had been left more than enough time to access and record the data for their own nefarious purposes.

The incident has been dubbed “The Big Asian Leak” since its discovery, as most of the credentials were harvested from Chinese companies such as NetEase, Sohu, Tencent and Sina. Email addresses found in the database largely came from Asian providers such as 139.com and gfan.com, although some addresses from Gmail and Yahoo were also included.

“Because many Chinese people have difficulty reading English characters, they often use their phone numbers or other numerical identifiers as usernames. Therefore, we can assume many of these email addresses also contain phone numbers,” according to Comparitech privacy advocate Paul Bischoff.

One of the primary concerns on the back of this discovery is that the leaked details could be used for credential stuffing campaigns. As many people share passwords between their personal and work accounts, this could open up unwitting organisations to a data breach.

What is credential stuffing?

Credential Stuffing is a common practice in cyber crime where a hacker or cyber criminal gains access to a user’s email addresses and password, and proceeds to try that password against other accounts/services belonging to that individual. This is performed based on the knowledge that users often reuse the same passwords between different accounts/services, albeit sometimes with slight variations.

This is a highly effective means of attack, as users may change passwords for services that they are aware have been breached, but may not think to change that password where it is in use on other accounts. Credential stuffing is also commonly used when attempting to commit identity theft against a user.

Data from a further 1.2 billion users exposed through two ‘data enrichment’ combo lists

It’s been a busy December for Bob Diachenko, who along with fellow researcher Vinny Troia discovered another open database containing the records of another cool 1 billion users. The server reportedly held over 4 TB of data – all with no password or authentication required to access it.

The data, believed to have been scraped from public-facing sources such as LinkedIn, includes names, email addresses, phone numbers, social media profiles and other data which the users had posted online.

So, while the data was mostly public-facing and taken from LinkedIn and Facebook, it wasn’t scraped directly by cyber criminals. In this case, they didn’t even have to do the hard work, as all of the information was compiled by two data enrichment companies, People Data Labs and Oxy Data.

Data enrichment is nothing new, it’s defined as the merging of data from various third-party sources into an existing database of first-party customer information, thus making it easier to process for various purposes. However, even as the industry tries to keep said data secure, there is nothing stopping their customers from doing what they wish with the data.

In this case, it seems a customer of PDL and Oxy left the data exposed and not the companies themselves, however it serves to highlight a flaw in their operating models that has repeatedly lead to this data ending up in the wrong hands – as was the case for Exactis and Apollo just last year.

In addition to credential stuffing, which is worrying enough in its own rights, the data exposed in these breaches could also be used for identity fraud or sophisticated, personalised phishing campaigns

What do these breaches mean for companies?

All organisations are vulnerable to credential stuffing, whether they realise it or not. While they can implement password policies, they can’t control what employees do in their personal online lives. One startling find from these data sets was the amount of corporate email addresses used to sign up to websites for personal use. As most people struggle to remember multiple passwords and don’t use password managers, they end up recycling passwords between their various online services, and indeed between work accounts and personal accounts.

Frequent data breaches and the widespread availability of automated tools to take advantage of the compromised information have greatly increased the efficiency of credential stuffing attacks, according to Sumit Agarwal, COO of Shape Security and former US Deputy Assistant Secretary of Defense.

“The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing,” Agarwal said. “The vulnerability is simply having a login form and having users.”

In addition to ensuring a strong password policy is in place, organisations are also advised to ensure that employees are not using passwords that were previously breached and exposed online (this breached password tool can be used on an Active Directory server to check for just that, for free).

Other measures that can be taken to reduce risk include setting up employees with password managers so that they don’t have to remember all their passwords and can set unique, complex passwords for each service. 2-factor authentication is also a strong move to secure your accounts against unauthorised access, as it means a hacked password alone won’t lead to a breach. The extra time it takes an employee to enter a code texted to their phone or generated from an app is a small price to pay to ensure they are the only one logging in to access that sensitive company data.

Of course we would also be remiss if we did not mention security awareness training as an important part of the fight against cyber crime, by ensuring staff know how to reduce their risk and understand why they need to be careful online.

There is no golden bullet in cyber security in 2019 and as we enter the ’20s, we can only expect the field to become even more hazardous, so a layered approach is essential to making sure that your organisation keeps its data safe, and doesn’t end up being the next big data breach headline.