READ TIME: 4 MIN
Collection No. 1 – Has Anyone Not Been Pwned?
There are approximately 7 billion humans on Planet Earth. Recently, over ten percent of them – 773 million of them, to be exact – now have their sensitive personal information released into public record. This is courtesy of what’s known as Collection No. 1, one of the largest collections of unique email addresses and passwords ever to be released.
Importantly, Collection No. 1 is not the result of a single data breach. Rather, it is a farrago – multiple separate and previously unheard-of data breaches accumulated into a single mass and released for public consumption.
Data breaches at this scale are illustrative. Not only do they show us how many people constantly reuse weak and insecure passwords across the internet, they also show us something about how data – emails, passwords, phone numbers, and so on – are used once it has been stolen. Here’s what the Collection No. 1 breach tells us about information security.
How to Use Stolen Data
Most stolen data isn’t immediately useable. Even if a hacker successfully steals a list of email, username, and password combinations, they’ll usually find that the password is protected by something called a hash. A hash is a one-way cryptographic algorithm that renders passwords into a protected format. Most applications never store plain-text passwords – only the hash is stored. When you put your password into a login form, it gets hashed and then checked against the stored hash for verification.
Hashes are not unbreakable, and hackers are creative. If you have a weak password, hackers can find it through something called a rainbow table attack or a dictionary attack, in which they take an example list of weak passwords, hash them, and then check a stolen database for matching hashes.
Alternatively, hackers may find that they’ve stolen a list from a company that does not adhere to good password management practices. For example, they might be using depreciated hashes – hashes that are widely solved and easy to decrypt. A lot of companies still use the MD5 hash, even though it’s been known to be insecure since 2005.
Even though there are methods, de-hashing stolen data takes a ton of work – which is what makes the Collection No. 1 breach so notable. Each one of the millions of passwords that were released as part of Collection No. 1 have been de-hashed. That means that they are immediately available for hackers to use – and most likely, they’ve already tried to use them.
The Lifecycle of Stolen Data
Data that’s stolen from companies and organizations doesn’t often get used right away. For example, criminals that steal data directly often don’t have any interest in or ability to de-hash it. That means that this data gets immediately sold. The buyer will then attempt to de-hash this data, and it takes time – stubborn hashes can take months or even years to decrypt.
Once the hashes have been decrypted, the hackers will attempt to use the resulting credentials – they’ll try to unlock bank accounts and steal money, or potentially use admin credentials to break into corporate networks and steal more information. Not all credentials will be easy to use – they might not be closely associated with either companies or bank accounts – and not all of them will still be valid by the time they’ve been decrypted.
Huge data dumps like Collection No. 1 are the end result of this process. This is the data that has either already been mined for immediate usefulness or can’t easily be mined for immediate profit. The only thing that’s left for attackers to do is use it for what’s known as credential-stuffing attacks: taking huge lists of various usernames and passwords and then running them through various services in the hope of finding a useful combination.
Expect to see a lot of credential-stuffing attacks using the data from Collection No. 1 (and subsequent collections) in the coming weeks and months.
Protect Your Business with Help from NexusTek
Data breaches like Collection No. 1 highlight the need for companies to create secure password management strategies and protect their businesses from account hijacking. NexusTek can help with both. Our security experts will consult with companies in order to develop password protection schemes that use state-of-the-art cryptographic algorithms to protect user data. In addition, we offer monitoring solutions that can detect and mitigate the influx of login attempts that would accompany a credential stuffing attack.