Fraud and account take-over cost companies billions of dollars every year. Many of these successful attacks are the result of credential stuffing, a vulnerability created by users’ reuse of passwords across systems and websites. Because of the risk of exposed passwords, the US-based National Institute of Standards and Guidelines (NIST) recommends screening accounts against lists of commonly-used and compromised credentials, which sounds straightforward but is easier said than done.
The threat landscape is constantly changing: new data breaches occur every day, billions of records are exposed every year, and bad actors are buying, selling, trading, and using this data to commit crimes as soon as it becomes available. Enzoic’s compromised credential database is a continuously-updated, efficient, and cutting-edge resource to defend users and businesses against credential stuffing attacks.
Breached datasets can be anywhere from just a few lines, right up to many gigabytes. They are frequently irregularly formatted, and can contain many types of information besides usernames/emails and passwords, including Social Security Numbers, demographic information, sensitive health or lifestyle data, for example. Small breaches are still dangerous- small companies without the resources for robust security practices often use outdated software with weaker password hashing, yielding the plaintext passwords for much less effort. If a user has used a similar password on another service, they can be vulnerable in this way even if the targeted service has not been compromised.
Before potential criminals can use the data for attacks, it must be cleaned, analyzed, and processed into formats appropriate for phishing, credential stuffing, or other forms of fraud. To defend against these orchestrated attacks, we must also analyze and process the data to mount strong, accurate, and up-to-date protection.
To provide the most effective defense, Enzoic’s credential data is carefully curated, cleaned, and stored to provide maximum efficiency and security for password screening and continuous monitoring. Millions of rows of credential data surfaces publicly each month, but the vast majority is duplicates from past breaches, repackaged information, and fields that are simply corrupted and invalid (e.g. incomplete email addresses). Hackers commonly extract credentials from old breaches and attempt to pass it off as fresh data from new attacks to make quick cash or earn social standing.
Each dataset we obtain is checked for validity, analyzed for necessary features (e.g. which type of password encryption was used), and filtered for only credential information. The set is then cataloged and each record is inserted into the database. Each password is stored as a hash for security, so plaintext credential information is never transferred between the end-user and our servers. Credentials are cross-referenced across breaches, checking for uniqueness or other instances of the exposed account. This allows us to maximize efficiency through minimizing duplicates, while still tracking each occurrence of users’ information across the entire breach catalog.
Cybersecurity is a time-sensitive enterprise. Victims of a breach may have no idea that a security compromise has occurred for months, which leaves hackers plenty of time to capitalize on the information. If credentials have been breached, that organization will be particularly vulnerable until the breach is discovered, as they will not know to alert users and reset passwords. “Fresh” credential data is also considered more valuable, as the accounts will not have been stolen yet and credentials known to be active on one website are more likely to be active on another. In other words, it is extremely hard to defend against threats of which one is unaware, so we are always focused on identifying new breaches and pushing the data to our system as quickly as possible.
To mitigate these threats when users are most vulnerable, Enzoic has both automated tools and threat researchers continually scouring both the clear and dark web for breached data. Our web scrapers target platforms known for the transmission of compromised accounts, automatically detecting and processing lists as soon as they appear. Our threat research team works with private sources to obtain data before it gets more widely distributed. We also monitor hacking forums, dark web markets, and “leak” sites so that we learn of breached information at the same time most threat actors do.
When breached data surfaces, we immediately download, analyze and incorporate the data into the Enzoic database so all of our users are protected and notified. We collect and process breaches from companies and websites all over the world, and from a myriad of sources- from the well-known “Collections” to hacking groups personal darknet sites, and from massive social media breaches to the Internet-of-Things.
Most credential stuffing attacks require passwords to be in plaintext, so the data exposed in a breached credential database may not be readily usable if appropriate hashing techniques were used. Most companies are moving to more secure hashing algorithms and using salts, but hackers devote huge amounts of time and computational resources to “crack” (i.e. decrypt) and share the resultant plaintext passwords. Some work as individuals, and some work in large communities to collaborate on large breaches.
At Enzoic, we monitor this work and use big-data analytics tools to correlate and update our own credential data as the cracked hashes are released. Though the combination of human and automated processes our database is updated multiple times each day. This ensures we stay toe-to-toe with as many threat actors as possible, and keeps our users protected even as hackers continually work to crack passwords and take over accounts.
By: Dylan Hudson