Troy Hunt: Password reuse, credential stuffing and another billion records in Have I been pwned

Anti Public listingPassword reuse, credential stuffing and another billion records in Have I been pwned

The short version: I’m loading over 1 billion breached accounts into HIBP. These are from 2 different “combo lists”, collections of email addresses and passwords from all sorts of different locations. I’ve verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you’re in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords. Read on for full details…

There’s a huge amount of hacked data floating around the web. Of course, you know that by now if you’ve been reading here or watching what I’ve been doing with Have I been pwned (HIBP) and up until writing this blog post, there were 2.7 billion examples of that on the site. There’s a lot more there now, but we’ll get back to that in a moment.

So there’s a lot of stuff getting hacked and a lot of credentials floating around the place, but then what? I mean what do evil-minded people do with all those email addresses and passwords? Among other things, they attempt to break into accounts on totally unrelated websites. Here’s a great example: someone grabs the 164 million record LinkedIn data dump that turned up last year and cracks the hashes. They’re SHA1 without a salt so the protection on the passwords is pretty useless. In no time at all you’ve got tens of millions of email address and plain text password pairs. And this is where the real problems begin.

As fallible humans, we reuse passwords. We’ve all done it at one time or another and whilst I hope that by virtue of you being here reading security stuff you’ve got yourself a good password manager, we’ve all got skeletons in our closets (more on mine soon). Most people are just out there YOLO’ing away with the same password or three across all their things. We know that because again, we’ve all done it and hackers know that because that’s their job! As such, they’re going to try and break into as many other accounts as they can using the credentials from a data breach. Which brings us to credential stuffing:

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

Source: Troy Hunt: Password reuse, credential stuffing and another billion records in Have I been pwned