The good citizens of the Internet are frequently reminded that their passwords should contain a sufficiently complex combination of alphanumeric and special characters and, of course, meet or exceed a minimum length. Confusingly, the precise criteria for both is entirely dependent on which online service you use.

While security is everybody's responsibility, what should you be most concerned about if an online service lets you down and leaks your credentials, either through a malicious attack or simply through incompetence? The answer is twofold.

The first part of the answer depends on whether the online vendor informs you of the data breach straight away. I had my credentials stolen about a decade ago from a website that I had used once (around 2010, I think). The vendor reported the leak to a government department that did not make the breach public for a number of years afterwards, for reasons that I still don't find convincing. When I found out about the breach in 2014, I was horrified and immediately changed my password, eventually getting the vendor to completely close the account. Thankfully, only my name, age, postal address, email address, and order history were exposed, but potentially that's quite enough for identity theft.

The second part of the answer lies in your responsibility to ensure that you use unique passwords for each online service. Even if you change your password after a data leak, you are only protecting yourself on one service (who is hopefully running with heightened security, post-compromise). The bad news is that even if you keep passwords unique per service but reuse a pattern for your passwords across multiple online services, then you are still at risk. For example, penetration testers and attackers alike will try a capital letter at the start of passwords as it is so common.

In this article, I will look at how attackers abuse the valuable data often made available on the dark web after a data breach – using automated bots in many cases. I will explore credential stuffing and explain how it differs from password spraying. Importantly, I will show you how to protect your online accounts against such nefarious attacks.

What Does the Data Look Like?

Before looking at one of the tools used by attackers for credential stuffing, let's have a look at the kind of data that gets passed around after a successful data breach. One website that offers both free and paid access to such datasets is a European search engine called Intelligence X [1] (see also the "OSINT Tooling" box). At the time of writing, the splash screen informs visitors that it currently has "110,768,706,582 records" available and refers to its service as being able to "Search Tor, I2P, data leaks, public web [...]."

OSINT Tooling

It is also worth mentioning that under the Tools menu on its website, Intelligence X provides a number of very useful ethical hacking tools that fall under the Open Source Intelligence (OSINT) category. According to the SANS Institute [2], OSINT "is the collection, analysis, and dissemination of information that is publicly available and legally accessible."

The available tools include email address lookups, people searches (Figure 1), phone number checks, location finding, image searches, and the ability to find files, to name but a few. That's a bookmark worth saving.

Figure 1: Intelligence X offers a treasure trove of tools that can help with online research (source: https://intelx.io).

The search terms that can be used are notably powerful and include domain names, URLs, IP addresses (and CIDRs), and even Bitcoin addresses. In Figure 2, you can see the redacted output if I search for intelx.io within Intelligence X's search results.

Figure 2: Sample information found by Intelligence X (source: https://intelx.io).

For its own domain name, the search output dutifully reports "Found 446 Text Files, 372 Website HTMLs, 23 Pastes, 6 CSV Files, 3 Database Files, 2 PDF Files, 1 Domain." That's a lot of information, and remember, this is not hiding cloaked in secrecy on the dark web. Instead, it is fully available to anyone able to use a search engine.

If I drill down into one of the files containing breach data, I am prompted to sign up. The choices are either 50 free daily lookups or 200 daily lookups using a paid Researcher account (EUR2,500 a year), along with a number of other features.

The Intelligence X website also provides a detailed blog, along with excellent examples of the type of data that I will cover shortly. One post from 2020 [3] refers to a dataset from a breach containing:

• 160GB of data
• 10+ million selectors
• 29,791 active .gov domains
• 13,208 active .mil domains

Intelligence X's web crawlers apparently only took 24 hours to gather that volume of data, which is as staggering as it is worrying. The blog mentions neatly storing such data within a new category that the site recently created to encompass all public data from .gov and .mil domain names. This level of data capture hopefully illustrates the pace at which large datasets can be created and made available to attackers.

Data, Data, Data

Now that I've covered accessing data breach content from freemium services, I'll move on to a sample breach file from the 000webhost data breach (named after the compromised company involved), which can be easily found on Daniel Miessler's GitHub page [4]. I'm confident, however, that this file is also available from multiple locations online if you look for it. Listing 1 shows the first 10 lines from Miessler's sample 000webhost data breach file. This data breach [5] affected a gobsmacking 13 million users in 2015.

I will use the passwords from Listing 1 as a test example to explain credential stuffing. (If you are not keen on using these, Miesler's GitHub account [6] provides other options.)

1qaz2wsx
306187mn
rados1
newyork911
abc123
taqiyudin100587
wjr5443
nana0428
1992jp
bahamut24ritter

Putting the Parts Together

Imperva [7], the cybersecurity company, explains credential stuffing as "a cyberattack method in which attackers use lists of compromised user credentials to breach into a system. The attack uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services." It is worth repeating again: Reusing passwords for multiple services helps attackers with their goals when it comes to credential stuffing.

What I haven't said is probably the scariest part, however. One of the reasons why credential stuffing is so successful is because of the way that online services protect themselves against a user entering their password incorrectly on multiple occasions.

Most people will be familiar with the dreaded "Your account has been locked, please contact Support" message seen after getting their password wrong three times. When it comes to reusing credentials from a breach, attackers are clever and will only try a username once or twice with a password before moving on to the next username in order to avoid locking out lots of accounts and potentially raising an alarm. This is only possible at scale due to the massive amount of data from breaches available online. By making use of automated bots, it's possible to simply feed them with ongoing content (in the form of usernames and passwords) until they successfully log into an account.

So far, I only have passwords from the 000webhost breach data, but I obviously need usernames or, more commonly, email addresses that are used as usernames, in order to try and log into an online service. Miessler's GitHub repository also has a mountain of usernames available [8], including lists of popular male [9] and female names to try in the username field during an attack.

You can try password lists to successfully stuff credentials into an online service's login page, but you need valid usernames or email addresses for that particular service to have a much better chance of success. Otherwise, there is little point in trying a couple of passwords per user if that account definitely doesn't exist.

This is where OSINT comes in and indeed tools such as Intelligence X. It is possible to discover endless email addresses if you look hard enough for users of a particular site. I'm not saying this is necessarily accurate, but a banner appearing on the Intelligence X splash page, shortly after saying how much Intelligence X respects privacy, mentions that Facebook sells user data to third parties. As you can imagine, that is an online service with a massive dataset that you could search through for valid users. Plus, even on the earlier searches for .gov and .mil domain names, email addresses were displayed – more commonly for teams rather than individuals, admittedly, but you get the idea.