Navigating Access and Security in the Stolen Credentials Landscape
By Tom Caliendo, Cybersecurity Reporter, Co-Founder at Brocket Consulting LLC
In the last few years, an unprecedented number of stolen login credentials have been exposed in data breaches. Data Breach Search Engines (DBSEs) are increasingly providing public access to these stolen credentials. While designed to alert users to potential data exposure, these engines may unintentionally contribute to the growing cyber threat landscape by aiding malicious actors in exploiting stolen login credentials.
Despite the fact that the past year witnessed an alarming rise in threats from malicious actors leveraging stolen login credentials, the potentially harmful role of DBSEs has been largely overlooked.
DBSEs have existed for years with the purpose of informing individuals if their personal information was exposed in a breach. This involves seeking breached data from the dark net and making part of that information available to the public on the DBSE’s website on the regular internet, also known as the “surface net.”
Traditionally, DBSEs would only inform visitors if their email address or username was listed in any data breaches, prompting them to change their passwords for a specific account. However, a new category of DBSEs has emerged, offering users access to raw data from breaches, including login credentials for other individuals. These new DBSEs are gaining popularity.
This trend unfolds as the dark web underground market for stolen credentials is experiencing rapid growth. Demand is primarily driven by cybercriminals intending to use stolen credentials for malicious actions, as reported in Recorded Future’s 2022 Annual Report. Recent trends reveal an increasing usage of stolen credentials for cybercrime, with Account Takeover fraud rising by 354% year-over-year in Q2 2023, based on Sift’s Q3 2023 Digital Trust & Safety Index. Additionally, 49% of data breaches last year involved using stolen credentials, according to the 2023 Data Breach Investigations Report (DBIR) by Verizon.
Against this backdrop, DBSEs are making exposed credentials more accessible to the public. This marks a significant departure from the days when breached data was confined to the darker corners of the Internet. The F5 Labs 2021 Credential Stuffing Report notes that for malicious actors seeking victims’ login credentials, the entry barrier is diminishing. Access to exposed credentials used to demand a level of skill, funds, and/or personal connections, requiring expertise to hack a database, connections to elite sellers, or access to exclusive dark web markets. However, with increasingly mainstream services willing to sell verified credentials, anyone can obtain access.
Nevertheless, even if DBSEs assist in exposing credentials, it’s crucial to recognize that not all stolen credentials are the same. Hackers typically attempt to keep stolen credentials secret for as long as possible. Breached credentials lose value when they become public knowledge because victims promptly change their passwords, as stated in the Cofense 2023 Annual State of Email Security Report. F5 Labs corroborated this notion in its Credential Stuffing Report, tracking the path of stolen credentials from theft to public disclosure. As soon as the breach became public knowledge, the price of the credentials started declining.
At this stage, after public disclosure and data posting, DBSEs first obtain the credentials. Therefore, DBSEs provide access to credentials when they are least valuable to criminals.
However, the credentials accessible in DBSEs still hold value to criminals, particularly if victims reuse their passwords for multiple accounts. Password reuse has always been a problem, and SpyCloud’s 2023 Identity Exposure Report found a 72% password reuse rate for users exposed in two or more breaches in the past year—an 8-point increase from 64% the previous year. As long as password reuse persists, old credentials will remain valuable to criminals.
It’s worth noting that there are potential benefits for victims using new DBSEs in certain circumstances. Traditional DBSEs were most helpful when a data breach originated from only one website, such as the Linked example mentioned earlier. However, some data breaches consist of login credentials from unknown sources. In those cases, a newer DBSE can identify which passwords were compromised.
The Future:
Based on current trends, DBSEs could play a more substantial role in supplying cybercriminals in the near future. The number of cybercriminals seeking credentials is growing, potentially including more individuals unable to access traditional suppliers like hacker forums and dark marketplaces. For those people, it may only be a matter of time before they start looking elsewhere for credentials.
DBSEs appear to have a complex link to cyber threats, with both positive and negative effects on security. The cybersecurity research community has not sufficiently focused on DBSEs and their associated security implications, revealing a significant knowledge gap. Until cybersecurity research redirects attention to DBSEs, the true nature of their current and future role will be overlooked and unaddressed.
About the Author
Tom Caliendo is a security consultant and a freelance writer. He is the author of The OSINT Guide, (see theosintguide.com) and is an established expert in the field of open source intelligence (OSINT). His work as a freelance writer focuses on new developments in cybersecurity, privacy, and Deep Web OSINT.
Source: www.cyberdefensemagazine.com