Collecting Credentials

Many of us are fond of collecting things, but not everyone is excited about Collections #1-5. In 2019, these Collections, composed of ca. 932 GB of data containing billions of email addresses and their passwords, made their way around the Internet. These collections weren’t breaches but compilations of emails and passwords that had been gathered. Even after repeat entries were whittled down, the collection still contained billions of distinct address and password combinations.

While it’s impossible to tell exactly where they all came from, some of the larger known data sets in these enormous files came from the Dropbox (2016), LinkedIn (2012), Yahoo! (2013/2014), and Adobe (2013) breaches.

Why should we pay attention to these and other breaches, especially when the passwords are hashed? Can’t one just reset the password and be done with it? Resetting passwords is not the issue. The problem is when the same password is associated with more than one account. Password reuse makes credential stuffing different from brute force – the criminal has a set of already-breached credentials and doesn’t have to guess at the password. Using rainbow or hash tables, criminals can determine the hash of the password. Attackers also know that many people reuse their passwords. The danger is not just accessing someone’s account; it’s being able to access other valuable personal accounts that use the same credentials.

5 Stages of an Attack

Michael Isbitski with Salt Security presents a great overview of credential stuffing including its stages. Here’s a summary of my own version of the five stages.

1. Appropriation

In this stage, the criminals gather credentials. These might have been gained from breaches they conducted themselves, from collections bought online, or just downloaded from one or more sets of publicly available repositories. Additional items gathered during this (Read more...)