July 29, 2021

Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.

Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data when they’re leaked or stolen en masse.

When a website’s user database gets compromised, that information invariably turns up on hacker forums. There, denizens with computer rigs that are built primarily for mining virtual currencies can set to work using those systems to crack passwords.

How successful this password cracking is depends a great deal on the length of one’s password and the type of password hashing algorithm the victim website uses to obfuscate user passwords. But a decent crypto-mining rig can quickly crack a majority of password hashes generated with MD5 (one of the weaker and more commonly-used password hashing algorithms).

“You hand that over to a person who used to mine Ethereum or Bitcoin, and if they have a large enough dictionary [of pre-computed hashes] then you can essentially break 60-70 percent of the hashed passwords in a day or two,” said Fabian Wosar, chief technology officer at security firm Emsisoft.

From there, the list of email addresses and corresponding cracked passwords will be run through various automated tools that can check how many email address and password pairs in a given leaked data set also work at other popular websites (and heaven help those who’ve re-used their email password elsewhere).

This sifting of databases for low-hanging fruit and password re-use most often yields less than a one percent success rate — and usually far less than one percent.

But even a hit rate below one percent can be a profitable haul for fraudsters, particularly when they’re password testing databases with millions of users. From there, the credentials are eventually used for fraud and resold in bulk to legally murky online services that index and resell access to breached data.

Much like WeLeakInfo and others operated before being shut down by law enforcement agencies, these services sell access to anyone who wants to search through billions of stolen credentials by email address, username, password, Internet address, and a variety of other typical database fields.

TARGETED PHISHING

So hopefully by this point it should be clear why re-using passwords is generally a bad idea. But the more insidious threat with hacked databases comes not from password re-use but from targeted phishing activity in the early days of a breach, when relatively few ne’er-do-wells have got their hands on a hot new hacked database.

Earlier this month, customers of the soccer jersey retailer classicfootballshirts.co.uk started receiving emails with a “cash back” offer. The messages addressed customers by name and referenced past order numbers and payment amounts tied to each account. The emails encouraged recipients to click a link to accept the cash back offer, and the link went to a look-alike domain that requested bank information.

The targeted phishing message that went out to classicfootballshirts.co.uk customers this month.

“It soon became clear that customer data relating to historic orders had been compromised to conduct this attack,” Classicfootballshirts said in a statement about the incident.

Allison Nixon, chief research officer with New York City-based cyber intelligence firm Unit221B, recalled what happened in the weeks leading up to Dec. 22, 2020, when cryptocurrency wallet company Ledger acknowledged that someone had released the names, mailing addresses and phone numbers for 272,000 customers.

Nixon said she and her colleagues noticed in the preceding months a huge uptick in SIM-swapping attacks, a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

“A week or two prior to that we were seeing a whole lot of SIM swapping activity,” Nixon said. “We knew the information was coming from some database but we couldn’t figure out what service they all had in common. After the Ledger database got leaked publicly, we started looking at the [SIM swapping] victims and found 100 percent of them were present in the Ledger database.”

In a statement about the breach, Ledger said the data was likely stolen in June 2020, meaning hackers had roughly six months to launch targeted attacks using extremely detailed information about customers.

“If you were to look [on cybercrime forums] at the past history of people posting about that Ledger database, you’d see people were selling it privately for months prior to that,” Nixon said. “It seems like this database was slowly percolating out wider and wider, until someone decided to remove a lot of its value by posting the whole thing publicly.”

Here are some tips to help avoid falling prey to incessant data breaches and increasingly sophisticated phishing schemes:

Avoid clicking on links and attachments in email, even in messages that appear to be sent from someone you have heard from previously. And as the phishing examples above demonstrate, many of today’s phishing scams use elements from hacked databases to make their lures more convincing.

Urgency should be a giant red flag. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly. Take a deep breath. If you’re unsure whether the message is legitimate, visit the site or service in question manually (ideally, using a browser bookmark so as to avoid potential typosquatting sites).

Don’t re-use passwords. If you’re the kind of person who likes to use the same password across multiple sites, then you definitely need to be using a password manager. That’s because password managers handle the tedious task of creating and remembering unique, complex passwords on your behalf; all you need to do is remember a single, strong master password or passphrase. In essence, you effectively get to use the same password across all Web sites. Some of the more popular password managers include DashlaneKeepassLastPass and Roboform.

–Phone-based phishing uses hacked databases, too: A great many scams are perpetrated over the phone, leveraging personal and financial information gleaned from past data breaches to make them sound more believable. If you think you’d never fall for someone trying to scam you over the phone, check out this story about how a tech-savvy professional got taken for thousands of dollars by a fraudster masquerading as his credit union. Remember, When in Doubt: Hang Up, Look Up, & Call Back.


55 thoughts on “The Life Cycle of a Breached Database

  1. Justin Power Ranger

    A few days ago I deleted an email from my bank. It was inviting me by name (and the last 4 digits of my checking account number) to download their app. Well I’ve been using some form of that app for at least 10 years. So even though the email looked legitimate, it just seemed a bit odd. Don’t you fools know that I am an app user already?

    1. Steve

      I receive emails like that all the time. I suspect the marketing department doesn’t talk to the app development department. In any case, I adhere to Brian’s #1 recommendation: avoid clicking on links and attachments in emails. I violate this if: 1) I know the sender personally; 2) I am expecting the message.

      What a world we live in.

  2. Gannon (J) Dick

    My user name is 3 and my password is the square root of 3 It’s draw-able with a compass and straightedge but a real pain in the neck to type into a WYSIWYG form. User 2 has the same problem with his password and it just gets worse for not-quite-early-enough adopters.

    The problem started when User 1 changed his password for security reasons.

  3. ReadandShare

    As an individual home user, I used to rely on remembering never to click on email links, but of course, still did it mindlessly sometimes. So I set up three different profiles within Firefox: General Browsing, Google Stuff (email, etc.) and Financial Stuff.

    The first is default and just for general browsing. Google (email, etc.) is strictly whitelisted and NoScript restricted. Even accidentally clicking an email link is usually harmless because scripts won’t run unless they’re specifically whitelisted (and Google connected).

    When dealing with finance, medical, paying bills… all the parties are known by definition and are also strictly whitelisted and NoScript restricted as well. Any kind of invoice or whatever email notifications, I follow up here, clicking to bookmarked sites. Since Google isn’t a vendor, it isn’t whitelisted, so no chance of erroneously checking/clicking emails here.

    1. Vince Taylor

      Would love more details on how to accomplish what you do.

      1. ReadandShare

        Set up different browser profiles (3 within Firefox in my case) and maybe 3 shortcuts too for convenience.

        1. General – Set to accept cookies (but block google) – standard browser protections – add Privacy Badger extension to block trackers (optional).

        2. Google – Set to block all cookies then whitelist specific google ones to allow for email and other google services you use. This is my “app” (profile) for email, texts. Add NoScript, which will default to blocking all scripts. Again, whitelist just the google stuff. Now, even if you accidentally click an email link here, nothing horrible should happen. Within this profile, Google can track my activities as much as it wants – it will all just be Google’s own stuff anyway! Of course, if you use something other than Google (e.g. Live) – set up accordingly. Now, got an email with a link from your bank here? Clicking should be harmless (meaning won’t do anything) because of NoScript block and also because of browser’s own cookies block. Just copy link and go to #3 below.

        3. Finance- similar to #2 – set to block all cookies – except this time, google is not whitelisted. Only my banks, insurance, medical and other service providers are whitelisted. Same also with NoScript. I can pay bills, etc. here with the highest level of browser safety – and google can’t track me because it isn’t allowed here. If you don’t mind Google tracking you, then you can actually combine #2 and #3 into just one profile.

      2. Ryan

        Sounds like they are maybe using a “container” extension for Firefox. The containers extension silos your various activities on the web. For example, in one container you can have one Google profile and in another container you can have another and different Google profile. The extension is made by Firefox and only works for Firefox browser. Look up “Firefox Multi-Account Containers.” (Take note I did not list a link ; )

        1. ReadandShare

          For me, as written above, I use different profiles – which allow me to set up different security options (e.g. allow cookies in one profile but deny cookies in another) as well as using different extensions. I don’t believe you have that level of flexibility when using multiple containers within one single profile?

    2. JamminJ

      That’s a very good setup to have.

      I do a much more complicated version using Qubes. Basically, separate virtual machines for each of those 3 domains. Not even malware could cross.
      For phishing protection, your approach works great and can be implemented by anyone.
      Great post.

      1. brian

        I do much the same thing, except I use separate login accounts. Each account is a regular user (no elevated/admin privileges), and none of them have write access to the others’ home directories. A little easier for the average user to set up.

      2. Alan Hodgson

        Qubes is probably the best plan for the truly paranoid.

        Also don’t let your wif^^^ non-technical spouse use online banking.

    3. Eric

      I have a dozen different profiles, keeping facebook separate from whatsapp from banks from google. In addition, I do the vast majority of my web browsing in “private” windows. My email is configured to open links in a “private” browser window (using Thunderbird). When I go to Amazon or eBay or whatever, I use a private window. And I make a habit of closing private windows as soon as I’m done with them.

      Of course, links from facebook, even when opened in a private window, still link back to facebook. There are other limitations. But overall, I feel that building the habit of using private windows will limit (not stop, but limit) some of the tracking.

      1. JamminJ

        private windows do indeed limit tracking, and ensure you don’t stay logged in. But if phishing emails are trying to harvest credentials, they don’t help. In fact, it may be worse that if you were logged into a secure site already, and the phishing site takes you to a spoofed/mimicked site. You might notice that you should still be logged in, and check the url. If you are used to logging in every time, it may trick you.

        That’s why profiles implemented like ReadandShare does are nice, because links from emails, will only open in that profile context.

        Private browsing has its uses. But if you want granular control of cookies and scripts… extensions like NoScript or ublock Origin are great.

      2. Ryan

        JamminJ is right. The takeaway is using “Private” windows is not the solution. Just because someone uses a private window does not mean what they are viewing is private. Not at all. You are rather only making private to anyone who might look at your computer’s website visit history. Using a private window does not prevent websites from tracking your activity or from not setting cookies. It also does nothing to protect you from malware. Most people do not know or want to believe your computer can simply be infected by malware by visiting a website. It does not matter if you visited the site for one second or 100 hours. A visit is a visit = infection. Stop relying on private windows. It is a false crutch.

  4. Greg

    Is there any reason you did not include 1Password in your list of password managers?

    1. BrianKrebs Post author

      Nope. It’s a fairly long list of managers these days. The main thing you have to know is that they can’t help you recover your master password. If otherwise, run away!

      1. JamminJ

        A good password manager can never recover the master password.
        A better password manager has 2FA options
        The best password manager can never recover the master password, nor can they reset the 2FA.

        1. BrianKrebs Post author

          “A good password manager can never recover the master password.”

          On that much we agree. Or was my response poorly worded?

          1. JamminJ

            We agree. I was just expanding.

            A lot of people think 2FA is a panacea but don’t realize that poor implementation could weaken it. Recovery/Reset abilities are convenience features that often make things less secure.

          2. gluetrap

            He just wants to turn your blog into a personal diary of basic concept rehashing.

            1. Nope

              Some people just want to be contrarian trolls who hate anyone who dares add anything to the conversation.
              Some people contribute to the dialog, some just say nuh uh

      2. Jon McAdams

        Why would anyone want to enter all their passwords into any online “password” database? Any online password website/database can potentially be compromised. I keep a small paper address book with obfuscated website names and unique long passphrases with missing key words in a ziplock bag hidden in a location where I can easily access it when needed and also grab it along with some cash and a few credit cards in case of a disaster. I don’t use public WiFi in airports, hospitals, stores, etc. I also don’t reply to any emails, text messages or phone calls from stores, banks, medical providers, surveys, long lost “friends”, or those requesting charitable or political donations. I also track my credit card charges and call the number on the credit card if I see charges I can’t identify. Yes my email addresses have been “scraped” from compromised websites (including some maintained by government agencies) but I change my passphrases frequently, and change a passphrase immediately if I’m notified or hear about a data breach of a website or company I use.

  5. The Sunshine State

    “From there, the list of email addresses and corresponding cracked passwords will be run through various automated tools that can check how many email address and password pairs in a given leaked data set also work at other popular website” A.K.A. Credential Stuffing

  6. Daniel D.Teoli Jr.

    A couple months ago I was trying to buy some obscure recording or movie -can’t remember which. I found a place online I never heard of that said they had a copy. I ordered it and when I went to pay with the Visa it said you card has been denied. I tried again and same thing. I gave up on it as it was not a big want.

    A month or so later Visa contacts me to inquire if I was in Brooklyn, NY. I was not and far away. Turns out my card had been hacked and was actively spending. They cancelled card and overnighted me a new one. But if you find yourself in that circumstance it may be a hack. Especially if there is no reason for your CC to be denied.

  7. Seg

    I recently got a new Ford car. Since I got it, I’ve received survey emails claiming to be Ford, but having anything but “@ford.com” in the email, and thus ignored. Some say they’re from Ford managers, but red flag if they don’t from from a “@ford.com” domain.

    I was getting a lot, so I decided to research a little into one of the emails. It was from a third party support/survey vendors with offices near Ford HQ in Dearborn. So they’re actually “legit” in the sense that Ford has indeed commissioned them to act on their behalf. But there’s no effort to insure the customer they are verifiably from Ford.

    In this case, Ford is actively teaching customers to interact with emails that signal every red flag for phishing emails contained in them. Surveys are a great way to get incidental information to connect dots. Especially as we get more connected car services, and the lack of 2FA on Ford accounts, I constantly worry about breaches in this (and other) vectors despite the things I do to protect myself.

  8. redbike

    Honest question here: a local government website that uses email/password for access requires that I change my password more-or-less 4 times / year which seems like security theater. Are these frequent password changes as utterly worthless as they appear?

    1. JamminJ

      Yes and no. Before consumer computers got powerful enough to crack hashes easily, a lot of the security of passwords focused on rotation. The idea was, it may take months to crack reasonable passwords.

      But there are limitations on how strong a password can be when they are generated by users to be easy to remember. Many advocate for long random passphrases…. but organizations didn’t want to force people to use password managers or other secure means of generation. And some organizations didn’t even want to force minimum password lengths of 15 characters.
      So password rotation has been the standard for a long time.

      NIST and others have recently (few years) changed their minds about 90 day rotation recommendations, in favor of MFA (multi-factor authentication) as a primary focus.
      This change is due in part to the much anticipated acceleration in consumer computers hardware and cloud computing.
      Cryptocurrency mining rigs, gaming systems, and machine learning are now ubiquitous and fairly inexpensive.
      These systems are also great for cracking hashes, so even longer passwords are no match for cracking within days.

      So we are kinda beyond the days of password rotation being very effective.
      But standards take a long time to change. Slower than the evolution of technology that it governs.

      1. redbike

        Thanks for the reply (and thanks to @yellowbike below.) I use a password manager so the changes aren’t burdensome. It’s good to know they’re not useless.

      2. Austin S.

        Password rotation controls are certainly worth it with the rise of successful brute force compromises. It appears that a 90-day rotation, with a lengthy password character requirement is becoming the norm. Further, MFA (as noted in the comment above) is another mechanism on the rise. NIST and PCI DSS suggest, if not require MFA, on critical systems. Though I do not agree that password rotation is completely ineffective to combat password cracking software, it seems to be at least one mitigation control a company can employ that will proactivity prevent against an intentional or unintentional infiltration. I work for an organization that employs MFA, 15 character password requirement, 90 day password rotation, and we are prohibited from ever using the same password twice. With today’s cyber-landscape becoming increasingly volatile, any armor our systems’ can wear – the better.

    2. yellowbike

      In a sense they are worthwhile because end users are eventually forced to use unique passwords for that account since a lot of those policies also include the restriction of old passwords being unusable.

      If you ask the user to kindly use a unique password for their login, you will be kindly ignored. Force users to change passwords every now and then and boom you have tricked them into actually using a password unique to that platform.

      1. JamminJ

        Actually, the opposite is true.
        I forgot to mention that one of the main reasons password rotation has gone out of fashion is because it became apparent that users were not changing their passwords to something unique.
        Rather they were using the same root password but just appending numbers such as month or season to the end.

        The main problem with user chosen passwords is that they must be memorable. When you tell them to rotate the password and tell them they can’t reuse the last 10 passwords… People don’t suddenly select stronger passwords, they get clever and find mental tricks to make them just as memorable.
        This leads to a huge advantage for the attackers using dictionary attacks.

  9. Eric

    My take-away from this article is not so much passwords being a problem; it is the use of a phone as a single point of failure. This is my major concern with all the two-factor authentication that is based on one thing, and one thing only: my phone.

    At least with passwords, as long as I use secure passwords, and don’t reuse them, any breach will be contained to just the organization that got hacked. Once hackers get access to my phone, _all_ my accounts (including bank accounts and credit cards) are potentially up for grabs.

    1. JamminJ

      It’s even worse than that. It really isn’t your “phone” that is acting as a 2FA device. Rather its a number, which is just a short set of numbers that are temporarily mapped to your SIM card. All controlled and managed by one of a few major private companies called “carriers”.
      SMS as 2FA is not really a physical “something you have”. Rather a virtual mapping that is not controlled by you.

      Biometrics, “something you are”, is a bigger problem too. It’s a single point of failure that you cannot even change. Compromise fingerprints, and there isn’t anything you can do, but avoid authentication that requires it.
      At least with a phone, you can get a new one, and set up your other accounts again.

      The thing with 2FA, is that it should always be a combination of things. So you still have unique passwords for every account, meaning that any one breach is still contained. The real issue, is that password reset process often uses only ONE FACTOR that just happens to be the same as what is used in combination during 2FA.

  10. Hans

    Why not something similar to public key cryptography in which you would register with your public key and the web site would never see the private key?

    Of course, that could still present a problem if someone broke into your computer and stole your private key and your password to use it.

    Perhaps the browser could automatically generate a new public/private key for each web site registration and the identification for the key was a set of random characters so that if an attacker did manage to get your key ring, they wouldn’t have a clue about which key was used with each web site.

    1. JamminJ

      It’s called client certificates. Behaves more or less how you describe it.
      However, it’s a real pain to do “mutual authentication” in practice.

    2. JamminJ

      Yes, pretty much exactly what you describe, is already being used.
      It is called client certificates. Web servers using TLS can enable “Mutual Authentication” to use it.

      The reason why it’s rare outside internal corporate / government / military environments, is because its a pain to set up and maintain.
      Certificate Authorities (CAs) delegate trust, and this model works very well when the server is the only side needing to be trusted. The server isn’t a real person, and won’t change hardware on a whim.
      Certificate management for real human users is tough, and breaks easily. You can get a taste of this at home. Set up a CA, a radius server, and WPA2/3 Enterprise using TLS client certificates. Then generate all the certs and install them on all your phones and laptops that use Wifi. Much more secure than a WPA2/3 PSK password, but management is a LOT more difficult. Now imagine you run a Bed and Breakfast, where you have dozens of new guest users every day, each needing key management.

      Then there’s OAUTH, which has a similar public/private key exchange system that makes for very secure client authentication.
      Of course, token based authentication is used all over the place and is much easier to implement because it all happens in the client web browsers.
      And also WebAuthN U2F and FIDO2. And probably a few other client authentication schemes. The more secure ones don’t store keys in the browser, or even in the keychain, but on hardware such as TPM chips or external USB tokens.

  11. Doug Belcher

    Instead of profiles and passwords why not try to go with something that doesn’t require a website to hold the user’s secrets? One such way was written by Steve Gibson (https://www.grc.com/sqrl/sqrl.htm) called “SQRL – Secure Quick Reliable Login : A highly secure, comprehensive, easy-to-use replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else.”

    This way it doesn’t matter if a website is breached because the site doesn’t have anything for a hacker to use, i.e. no profile, no password, every SQRL ID is solely and only for that website. It’s fast, easy, and totally secure.

    1. JamminJ

      Long answer:
      As usual, take anything related to Steve Gibson with a truckload of salt.

      There are much better standards for authentication out there including oauth, webauthn u2f, FIDO2, etc.
      These authentication protocols are already in use and rapidly gaining traction.

      Meanwhile, Gibson’s scheme has been around for longer but hasn’t actually been used by anybody. There are good reasons why nobody is using SQRL. Lots of flaws, and it doesn’t actually solve a lot of the problems that people think it does. For instance, there may not be passwords on the site, but there’s still a profile that can be hijacked.

      With so many implementation flaws in Gibson’s SQRL, it would likely add new attack vectors and be compromised pretty quickly as soon as a website were to actually use it. But nobody is using it in production for good reason.

  12. Ahmed

    Any email that looks strange or suspicious, click Forward, then carefully look at the sender’s domain versus who the message is claiming to be from. If it is a bogus message purporting to be Amazon, the domain shown in Forwarding mode of the message will be anything but Amazon, 95% of the time. 5% of the crooks know how to shield their domain such that I have to dig into the message code to see it.
    My main email account has been in so many breaches, including multiple from my ISP, that its now like a honey pot.

    1. Beeker25

      Usually they are hidden unless you actually read the email source. I get them all the time that I actually click on the email address to drop down the list to see the actual email used. More time than not it is not actually from the company themselves.

  13. Helen Smith

    Thank you, Brian! That gives me lots of good clear ammunition to tell the folks in my U3A classes when I am explaining how to keep safe online.

  14. JPA

    If people want to share information that is on a website with others, then sending them the link to the website is the only way that the vast majority of users will use.

    Given that, what is a solution to make links sanitized.? One I wish for is if email stripped the html off of links and just sent them as text. Then they could be copied and pasted into a browser window.

  15. G.Scott H.

    Here is another tip which can help if you are using a password manager, because it can become unmanageable without one. This tip helps to protect against credential stuffing, it can also help prevent mysterious account lockouts which are a symptom of a credential stuffing campaign. Use different usernames at different domains whenever possible. It is not always possible. Sometimes the username is also used for other things like an email address. Sometimes a site uses an email address as the username, and this can also lead to a list of other issues. Sometimes you cannot change the username.

    I wonder if we ever reach a point of username/password only authentication being rare or used only for low value accounts if SMS 2FA would become the low hanging fruit and targeted more heavily.

  16. Jmc

    Rather than enter my passwords in an online “password protection” database, I keep track of my passwords (different for every website) in a small address book that has obfuscated website names. It’s useful to keep that password address book in a hidden but convenient location stored in a waterproof bag along with a few credit cards and some cash in case of a disaster.

    1. ReadandShare

      You can ‘have your cake and eat it too’ by using password managers (free or paid, online or offline versions all available) and simply have it print out a hardcopy list to put in your waterproof bag, same as before. In my case, instead of printing out a hardcopy, I encrypt mine locally – then back up that file to an external drive and to the cloud.

  17. Steven P

    Thanks for sharing the life cycle of breached dbms.

  18. rawatnimisha

    Nice! This information is very useful. Thanks for sharing this , keep sharing such information…

  19. ajwood

    A password should only be one of many Bona Fide Determination Processes.
    Passwords are old technology that in today’s security environment should only be taken for a grain of salt.
    Two-Part logins are good but the problem is not that we know it’s good. The problem is that others know that too.
    This makes security logins a dynamic that needs constant adapting to what the actual bone fide rules require.
    You have to have a secure server in order to protect it. Otherwise it’s all bs .
    Passwords that are sent to a server at specific intervals of time (between the 5th and 20th second during minute 11, 22, 44, 54 for example) is the saving grace here. Any other type of attempt is a breach that delays logging in or a phone call with other info is required to try again.

  20. George

    I use different usernames on all my sensitive accounts where a email is not required as the username.

Comments are closed.