MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

DevOps Connect:DevSecOps @ RSAC 2022

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or here stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords.


“This leak creates risks mainly for customers who re-used passwords across multiple accounts,” observes Dr. Steven Murdoch, principal research fellow, at the epartment of computer science, University College London’s Department of Computer Science. “Companies should monitor news of password leaks, like this one, and deactivate passwords of their customers who have re-used a password from another account which was breached.”

Murdoch also advises organizations to “implement additional controls on top of passwords, such as detection of suspicious behavior. Two-factor authentication, or even better, FIDO/U2F.”

Third-party risks

For small businesses that make a living as third-party suppliers of services and goods to larger first-party organizations, managing authentication is of the utmost importance, says Tom Garrubba, senior director at Shared Assessments, a Santa Fe, NM-based intel-sharing and training consortium focused on third-party risks.

For small businesses that make a living as third-party suppliers of services and goods to larger first-party organizations, this can be very damaging, says Tom Garrubba, senior director at Shared Assessments, a Santa Fe, NM-based intel-sharing and training consortium focused on third-party risks.


“We don’t know all of the sources of these breached records, the importance of a healthy third- party risk management program that includes continuous monitoring and effective threat management over your organization’s data becomes even more crucial than ever,” Garrubba says.

Given the ocean of account logon credentials in circulation, Garrubba observes that it is vital for companies to fully understand, and continuously monitor, the risk postures of all suppliers and partners, which means the third-party suppliers need to make this a high priority, as well.

“This will ensure that both outsourcers,  and their full network of service providers and other third parties with whom they share data, are all fulfilling their security and privacy expectations laid out in their contracts,” Garrubba says.

Path of least resistance

Wider, more consistent use of multi-factor authentication by first-party and third-party entities also has become a vital best practice, says Frederik Mennes, a senior security strategist at OneSpan, a Chicago-based supplier of authentication technology to 2,000 banks worldwide.


“Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance,” Mennes says. “Applying multi-factor authentication may stop an attacker as the attacker might go after only users that have not enabled stronger authentication. “

One of the best things small companies can do is require all of their employees to use a password manager, which significantly reduces your exposure to criminal specialists tapping into the ocean of stolen credentials to orchestrate credential stuffing campaigns, aimed at exploiting vulnerable supply chains.

We all need to reduce our digital footprints to make ourselves – and the organizations we work for – less of a target.


“Some believe that many of the records within this breach may be outdated and basically worthless; but one man’s trash is another man’s treasure,” says Franklyn Jones, chief marketing officer at Cequence Security. “So some bad actor will likely acquire these credentials for pocket change, then launch a bot attack on other target sites to see what they can achieve.  And just like an episode of The Detectorists, they will likely come away with something of value.”

(Editor’s note: LW provides consulting services to some of the organizations included in our coverage.)


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: