Are Leaked Credentials Dumps Used by Attackers?
Leaked credentials are a common thread for a while. Popular services like “Have I Been Pwned”[1] help everyone know if some emails and passwords have been leaked. This is a classic problem: One day, you create an account on a website (ex: an online shop), and later, this website is compromised. All credentials are collected and shared by the attacker. To reduce this risk, a best practice is to avoid password re-use (as well as to not use your corporate email address for non-business-related stuff).
I’ve been watching dumps of leaked credentials for a long time. My goal is not to compete with the service above. I do this for research purposes and to track potential leaks for juicy domains. Most of the "combo" files that you can find on the Internet are compilations of old leaks but presented as "fresh", "verified" or "valid" by the attacker:
- 250K-belgium-Combolist.txt
- 300kusa.txt
- 310k-yahoo-combos.txt
- 75k HQ Valid mail access.txt
- 83k mail_access.txt
- 50K Combo private BY AmrNet1 All Site.txt
- ...
The quality of these dumps is very poor. Most verifications I performed with 3rd parties always gave the same results: the account has not existed for a long time, our password policy has changed, etc.
In another life, I operated a free UNIX shell service and provided a free email address to users (linked to the shell access). Guess what? Many email addresses were lost everywhere and are part of many leaks (of course, mine was also leaked). My current credentials database contains 43 unique email addresses related to my domain rootshell.be. I stopped the free shell service for years, but my domain is still used today for personal purposes and catch-all addresses. So, I'm still collecting many emails sent to these old addresses.
But are these leaks used to try to get access to mailboxes (or other services)?
I searched my mail server logs to see if they were rejected authentication with these leaked accounts. Guess what? There are! Over the last six months, 27 unique logins (>50%) were used at least once. Here is the activity across the previous six months:
There are attempts every day, with peaks from time to time. Here is the top-ten of countries from where these connections occurred:
Netherlands |
633 |
Vietnam |
555 |
India |
520 |
China |
409 |
Russia |
389 |
United States |
356 |
South Korea |
286 |
Brazil |
247 |
Thailand |
208 |
Gambia |
185 |
Conclusion: Even if the quality of these dumps is very poor, they are used a lot in the wild! This is a perfect example of why you must safely manage your credentials!
[1] https://haveibeenpwned.com
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
Comments