Troy Hunt, operator of the infamous ‘Have I Been Pwned’ service, is providing a massive list of compromised passwords to help organizations provide better security for users.
The issue Hunt is addressing is a common hacker tactic called ‘credential stuffing.’ This process involves hackers using lists of compromised account credentials to unlock an account on a separate website or service. For example, using a compromised social media login to attempt to access the user’s email account.
This tactic has become increasingly more successful with the recent mega breaches at MySpace, LinkedIn, etc. Just ask cybersecurity company FireEye…
FireEye Cybersecurity Analyst Hacked
A group of attackers calling themselves 31337 targeted FireEye, a well-known cybersecurity company and owner of Mandiant. The group used credential stuffing tactics to hack into personal online accounts of Adi Peretz, a senior threat intelligence analyst of Mandiant’s consulting services unit.
From there, they found and released three corporate documents from those accounts on Pastebin – a 32 MB file labeled “Mandiant Leak: Op. #LeakTheAnalyst.” FireEye’s investigation also found Peretz’s LinkedIn account defaced along with compromised Hotmail and OneDrive accounts.
Peretz was just one of the tens of millions of other victims who had their login credentials breached over the past few years, including in the LinkedIn breach last year.
The breach of this analyst’s account illustrates the potential dangers of credential stuffing, even for a company solely focused on cybersecurity.
Employees are often found using personal accounts for work-related activities. This activity extends an organization’s cyber risk to the personal security practices of employees outside of the work environment.
To help remedy this problem, Troy Hunt launched a service called Pwned Passwords. The service provides SHA1 hashes for the 320 million passwords collected by Hunt from previous data breaches.
NIST recently released updated guidance regarding passwords and authentication practices. One new recommendation was that user-provided passwords be checked against those from previous data breaches.
Organizations and online service providers can download the list of password hashes to use in their online systems to boost their users’ password security. According to the Pwned Passwords web page, the list can be integrated and used to verify whether a password has previously appeared in a data breach. Systems can then be prompted to warn users, or even block the password outright.
Hunt’s original post noting the service highlights several use cases and actions where the list could be valuable: registration, password change, login, and others.
The Pwned Passwords service could provide organizations with a valuable tool to help boost their authentication practices.