AMM10
🦋
- Nov 8, 2022
- 1,320
- 10,887
- 621
*waves*
Welcome to my world.
Dammit, man…(MANY WORDS INCOMING. FAIR WARNING.)
https://www.bleepingcomputer.com/ne...ed-in-large-scale-credential-stuffing-attack/ (a different report on the same incident Nifty posted in the first post.)
35k users is not "large scale" but whatever. It's a significant sum of users. Note that this was a credential stuffing attack where the crackers used password lists mined off of the internet to see if they could get matches. This is EXACTLY why Nifty started this thread. Datamines of users and passwords even years old can still be used to break into accounts if you don't regularly change passwords or use the same credentials on multiple sites. It's even more risky since it's an accepted practice on websites to use your email address as your user id all over the internet. So literally every place you have a login, half the work is likely already done once your email address is grabbed. All an attacker needs to do is collate it to password lists and start fishing.
Here's a very real hypothetical scenario illustrating how scary this can be:
(Begin scenario)
So say you have "[email protected]" as your login for gmail. And paypal. And netflix. And your bank. Etc, etc... And you have a password of "password 123" on gmail. Coincidentally, this is the same password you used 10 years ago on your mysapce you've forgotten about, with the same [email protected] login. And that 10 year old data was stolen in a data breach of myspace in 2015. You changed your password then on myspace but forgot you've used this password before.
Now a bad guy has the data from that 2015 myspace breach, and in the thousands of lines of info is your "[email protected]/password 123" credentials. So he writes a script to try logging into gmail and your username/password combo works. now he's got access to your gmail. Which is where all your password reset emails for all your OTHER accounts go when you hit the "forgot password" link. The attacker can now try to find as many logins with your [email protected] email address as they can, and password reset them all to take control of your accounts. You have been owned.
(End scenario)
This doesn't even take into account that the attacker likely has more than one list, there are hundreds of datamines out there. So potentially any old password you've used can be collected and used against you maliciously. Attacks like this happen daily. It's a very simple "low skill level" kind of attack. You don't need complicated tools, you need simple looping scripts and a list of users and passwords to try. A 5th grader with a month of programming lessons could do this. It's not "hackers" in basements with Guy Fawkes masks on to hide their identity. It's kids and adults in call centers and cyber cafe's in Russia and China (among other places) who are trying to put food on the table because they get paid for every account they can pop.
Every one of you probably know someone who's credentials on SOME website have been popped. It may seem innocent today, but it can come back to bite you hard years later.
