Compromised Credentials, Customer Satisfaction and Your Bottom Line
Smriti Jaggi Product Management
February 2020 Data Breaches are becoming bigger and more frequent each year. ~4.1 B records were breached in first half of 2019 alone!
145 million Social 3,120 employees and Security numbers, contractors had their login information 99 million addresses compromised and more 2.5 million Xbox and PlayStation gamers' details hacked 1.7 million Imgur vBulletin forums hacked; user accounts were 819,977 accounts leaked on compromised hacking forums 7 Million Accounts for Minecraft Community 2.5 million Xbox ‘Lifeboat’ 1 Billion users affected and PlayStation 1.5 million gamers' details Instagram users hacked 13 Infected Android Apps on Google Play Phishing 60 Million Dropbox Instagram Accounts User details stolen
Confidential / Data Breaches are becoming bigger and more frequent each year. ~4.1 B records were breached in first half of 2019 alone!
145 million Social 3,120 employees and Security numbers, contractors had their login information 99 million addresses compromised and more 2.5 million Xbox and PlayStation gamers' details hacked 1.7 million Imgur 10+ BillionvBulletin forums hacked; user accounts were 819,977 accounts leaked on compromised hacking forums 7 Million Accounts for Minecraft Community 2.5 million Xbox ‘Lifeboat’ 1 Billion users affected and PlayStation 1.5 million gamers' details Instagram users hacked 13 Infected Android Apps on Google Play Phishing 60 Million Dropbox Millions of Steam Instagram Accounts User details stolen game keys stolen Confidential / Data Breaches - Stats at a glance…
Confidential / After any breach: Reset user password! Hurts User Engagement! ~14% users return less frequently when forced to reset password
Confidential / 1 Case Study of Yahoo’s Data Breach
Confidential / Yahoo breach was detected after 3 yrs
8/2013 7/2016 Yahoo Breach Breach Discovered
Confidential / Credentials available on dark web after 3 yrs
8/2013 7/2016 Yahoo Some credentials Breach Most credentials Breach for sale on dark Discovered for sale on dark web web
Confidential / Credentials now also available on pubic sites
8/2013 7/2016 Yahoo Some credentials Breach Most credentials Breach for sale on dark Discovered for sale on dark web web
When current methods find the stolen credentials
Confidential / Monetization of the credentials began way back in 2013
8/2013 7/2016 Yahoo Credential Some credentials Breach Most credentials Breach Stuffing for sale on dark Discovered for sale on dark starts web web
When current methods find the stolen credentials
Confidential / Hackers sell the credentials on dark web only after monetization
8/2013 Stolen credentials not 7/2016 available on dark web Yahoo Credential Some credentials Breach Most credentials Breach Stuffing for sale on dark Discovered for sale on dark starts web web
When current methods find the stolen credentials
Confidential / Hackers sell the credentials on dark web only after monetization
8/2013 Stolen credentials not 7/2016 available on dark web Yahoo Credential Some credentials Breach Most credentials Breach Stuffing for sale on dark Discovered for sale on dark starts web web
When current methods find the stolen credentials
Peace_of_Mind said the data dates back to 2012 and that he had been selling them privately since late 2015.
Confidential / 2 Value of Stolen Credentials over time
Confidential / Stolen credentials decrease in value over time Dark web has only a fraction of spilled credentials Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / Hackers monetization of credentials first to gain maximum value Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / Credentials are then sold to associates to get additional ROI Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / Credentials made publicly available on dark web in Phase 3 Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / Data breaches take time to be reported publicly Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / Larger group of attackers leverage publicly spilled credentials Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / When is the right time to identify spilled credentials?
Too late! Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / When is the right time to identify spilled credentials?
Here is when you need to identify spilled credentials Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / NIST recommends checking customer credentials Against what? Most dark web content already stale and recycled
...it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, ...
Confidential / CheckNIST recommends Quality of Customer checking Credentials customer credentials Against what? Most dark web content already stale and recycled
...it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, ...
Confidential / NIST recommends checking customer credentials Against what? Most dark web content already stale and recycled
...it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, ... T O O O L D
Confidential / Dark web credentials may offer <10% coverage at best
Billions of credentials are stolen
Some spills are detected (later)
Only a fraction are available in dark web Confidential / 3 Solution: Blackfish
Confidential / Blackfish Network: most complete list of spilled credentials
Blackfish N E T W O R K Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / BlackFish not only includes publicly available credentials…
Blackfish 9+ Billion Publicly Available N E T W O R K Credentials Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / … but also includes actively exploited credentials Shape has the most complete list of spilled credentials
Blackfish 9+ Billion 500 Million Publicly Available Actively Exploited N E T W O R K Credentials Credentials Credential Spill Value
Day 0 Tier 1 attacks Tier 2 attacks Tier 3 attacks Day 456 Tier 4 attacks Data Breach Attacker Attacker’s Dark web Avg time before Public Associates breach is reported
Confidential / 10M+ Users have their credentials leaked in data breaches Roughly 7/10 queries to Blackfish for personal email addresses results in a hit…
Confidential / Exploited Credentials NOT publicly available on Dark Web: 96%
Friday Saturday Sunday Monday Tuesday Wednesday Thursday
Confidential / Exploited Credentials NOT publicly available on Dark Web: 96%
The BlackFish Network
As soon as stolen credentials are tried anywhere they are rendered useless everywhere. Friday Saturday Sunday Monday Tuesday Wednesday Thursday
Confidential / THANK YOU shapesecurity.com