markn.ca
Archive 5 min read

773M Credentials

It's not uncommon for cybercriminals to combine multiple data sets in order to increase their chances of finding valid user credentials. Security researcher Troy Hunt found the mother of all collections, dubbed "Collection #1". This roll up contains 773M sets of credentials fro

773M Credentials

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How are you doing today? In this episode of the show? I want to talk to you about the latest blog post from Premier security researcher Troy Hunt. Um For those of you that don't know Troy, you probably know his work.

Um He is the creator and maintainer of the website. Have I been pawned? Um which is a credentials aggregator. It's a phenomenal service to the community that Troy runs essentially. What he does is he collects data breaches. He um sanitizes them, organize them and puts them in to uh this massive database that's accessible um from his website.

Have I been.com? Um And that allows you to go in and check to see if your credentials have been breached um as part of various hacks. So the latest post that Troy has up um is about 773 million users uh credentials.

Now, um This is also I should say 773 million user credentials. There is some duplication in the data set. Um Wired had an article on this. It's popped up on tech meme, it's gaining a bit of attraction and Troy's got a phenomenal blog post up about it.

Um I'll link to that in the description below so that you can read about that. Um and his details on processing the data set and how he came about it. Um But the interesting thing here is that this is an aggregate data set as opposed to other data sets in the past where it's like there is breach from company A and here is the resulting data.

This is a collection of multiple data breaches over an unknown period of time. Now, some people are like, wow, this is a ton of user credentials. This must have been a massive breach and that's incorrect. This is a collection like I said, of other data breaches and it's not a common to see these sort of packages of data.

Now, the wired article referred to it as the Voltron of data breaches where um separate things combined to build one massive thing. Um And that's not a bad way to look at it. I would look at it more as a giant fishing net.

Um where uh you know, and that's apropos a little foreshadowing. Um But what happens is uh in the digital Underground cybercriminals will try to collect as many sets of credentials as possible because of the low cost of attack.

And that's really what I wanted to talk about today is that um when I talk to security professionals, when I talk to the average user, when I talk to the media about cybersecurity and boat security breaches in the economics of cybercrime.

One of the absolutely critical points is to understand that it is such a low cost to commit cybercrime, especially once an attack or a scheme has been designed once to execute it multiple times essentially costs almost nothing additional for the attacker.

So the analogy I like to use is let's pretend we're bank robbers because you know, that's fun to pretend, pretend, remember I said, pretend so pretend we're a bank robber. And if we knock off a bank um and get away with some cash, um we're quite proud of ourselves.

But if we try to do it again, if we knock off a second bank, the risk is uh increasing significantly. The reason being is when we hit the first bank, we left evidence, there was witnesses, there is video camera evidence, the police have investigated it.

They've gathered up all of this information about how we conducted this crime. And if we go to commit another crime, the likelihood of us getting caught significantly increases the effort for us is the same as the first. We need to case the judge.

And again, we need to plan it all out. We need to put a huge amount of effort into this second crime just as much as effort is into the first crime. However, our risk is increased. So our return is actually disproportionate to the uh first one, right?

So the risk is now higher for the same return or potentially the same return. Cybercrime doesn't work that way at all. If we're now gonna commit a cybercrime, we figure out and design an attack or a scheme um to exfiltrate data, we figure out what we want to do and we point our tools at one target.

Well, for us to point our tools at a second target, we're not increasing any risk because of the lack of data sharing because of the fact that we can hit um targets in different countries. And there's a whole bunch of things that combine together to say that, you know, we're not actually increasing risk by going to the second one.

But for us, the effort is actually less because we simply just re point the tools we don't need to re case the joint. We don't need to do a lot of the same work we've done it once so we can take advantage of scale now.

Yes, eventually this will catch up with us as the cybersecurity community and will help build defenses and help people be aware of the crime. But the economics are fundamentally different and that's why we see breaches or data collections from breaches.

Like the one that Troy has put in to have been ped and sharing with the community now is because I can take that as a cyber criminal. Big quotes. I'm not a cyber criminal obviously. Uh But if I was a cyber criminal.

I can take all of those 773 million credentials and put them into my tools to try to use them in breaches in the future because it doesn't cost me anything extra and it could increase my returns. That's why we see these sort of data aggregates, those ones abnormally large for sure.

Um But that's why you'll see this coming together and it's not the first, it's not the last. Um But I just wanted to share that out with you guys. Um So uh as a little close out for this episode, I want to give another shout out to Troy, like the work he's doing with have I been po is absolutely phenomenal.

Um Troy is also a well renowned public speaker. He speaks around the world. Um He's based in Australia, but he does go through Europe a lot and give a lot of talks there. He's also an active author on plural site.

So go check out his courses there because I know that helps out Troy or make a direct donation to have I been um the work he's doing truly does lift up the rest of us. Um His tools and have I been po have been integrated into a whole bunch of password managers um which is phenomenal and which is what you should be using.

We've covered that ad nauseam. Um I'll link to some of the older episodes where we talk about password safety um down below. But again, huge shout out to Troy. He's doing a phenomenal work and uh I as a security professional, appreciate his work.

I think you whether you know him or not indirectly appreciate his work. But by all means, please give him a shout out. Um We need people like him to help us raise the bar. Um And this latest uh explanation of this mega breach uh where this mega data collection um is uh just another example of the good work that he's doing so.

Uh Kudos Troy, thanks a lot. We really appreciate it. Um What do you guys think? Let me know as always hit me up online at Mark NC A and uh those of you in the vlogs in the comments down below and uh for podcast listeners and everybody else uh as always by email me at Mark N dot C A, hope you are set up for a fantastic day and I'll see you on the next show.

Share Tweet Share Share Email

Read next