Data Leakage

Credential Leaks: How They Work and Why You Should Be Concerned

By on

Unfortunately, we read more every day about sensitive data leaks from websites, including credentials, logins, passwords and hashes. Despite the fact that this is a hot topic in specialized media, very few managers have stopped to consider how this trend could affect the security of their corporate environment, leading to financial losses and sending shock waves through their customers.

Are you familiar with the practice called credential stuffing? This scam, which is in full swing as you read this, takes advantage of the fact that on average we use only two or three passwords for several digital services, which means that if you manage to steal a password registered at a virtual store, for example, there is a good chance it can also be used to access other online services.

It’s always worth remembering that people are by nature careless with their passwords. A study conducted by Axur revealed that 60% of the passwords sampled were just numbers, and 27% of them had only six characters, which is usually the minimum required by sites in the signup process.

On top of that, numerical sequences (like “123456”), proper names (“Gabriel”), simple words (“Success”) and obvious sequences (“qwerty,” “a1b2c3”) were also common, even in 2018. Couple this with the habit of reusing credentials, and we have a dangerous situation for both your company and the private individual.


How crooks recycle

In credential stuffing, criminals get hold of credentials leaked from the Internet (already made available to the public or through targeted hacking) and do automated tests on hundreds of other web services to see if a login/password combination can be used to access another platform.

If a bot is fed a leak of 100 million credentials and is able to reuse 2% of them, that means that the hacker will gain two million valid passwords. And that can afford him or her access to end-user services (Netflix, Spotify, PayPal, etc.) as well as to cloud platforms storing files, data and corporate secrets (Trello, Slack, Dropbox, Google Drive, GitHub, and so forth).


Legal complications

The practice of credential stuffing is profitable to criminals regardless of how they use the stolen credentials. They could, for example, go to the deep web to sell Netflix logins for peanuts and simultaneously extort money from a corporation by threatening to divulge confidential information obtained through illegal access to their internal systems. That culminates in damages that are not only financial, but also reputational.

It’s important to remember that legislation regarding sensitive data protection has recently kicked in—the European General Data Protection Regulation (GDPR). This establishes rules for the collection, storage and processing of internet users’ confidential information, and also has provisions for million-dollar fines for those who are not careful with those bytes.

Specialists forecast that in 2019 data leaks will cost a total of 2.1 trillion dollars globally.


Action and reaction

As you can see, a credential stuffing attack is difficult to control. After all, its starting point is a leak that did not necessarily originate from your company and its effectiveness for criminals depends on whether or not the end user has good security practices, such as avoiding password reuse and adopting complex credentials. For that reason, monitoring is essential so you can be the first to know if credentials connected with your brand (with emails contained in your domain) become exposed on the web.

And that’s exactly why Hashcast exists, our solution composed of hundreds of bots that comb public and private Internet channels in search of passwords shared in services like Pastebin (and its dozens of equivalents) or data sold in forums on the deep and dark web. Once the robots find something, they can issue notifications in real time (by email or SMS), so that the company can react as quickly as possible, directing their employees to change their passwords.

In 2018 alone, our monitoring of WhatsApp, Telegram, Discord Facebook and the dark web yielded more than 17 million new leaked credentials, in addition to our data bank of 1.8 billion credentials. Contact us and get more details about our dynamic solution.


(EN)The Hack - Axur Infográfico 3



Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware


We are journalists, but we are also hackers - we aim to solving problems by analyzing them in a creative way and by making different manners of using the tools that we have.