New service can tell a company which users have a password known to hackers, without having to know the usernames
Businesses need to keep their user accounts safe. But there are billions of username and password pairs available to hackers on the dark web. User tendency to reuse passwords on multiple accounts means that hackers may already have your users’ credentials, stolen from a breached third party.
The result is the credential stuffing attack. Credential stuffing occurs when hackers systematically attempt hundreds or even thousands of possible username and password pairs until they find one that works.
“Every day you hear about a new billion set of records that hackers are passing around,” comments Steve Thomas, co-founder and CEO of HackNotice. “So, hackers really have the keys to the kingdom; they know every username and password that’s been in use for anything from Spotify to Gmail to all the major services – and even bank accounts. The problem is that users still – the majority of users– still reuse passwords.” Companies are consequently at risk of compromise even if they have never leaked a single user credential.
Hackers may have many thousands of ‘John Smith’ usernames without knowing if any belong to their next target. Their solution is to automate the process of testing every single pair they have, looking for the right one.
There are methods of checking whether passwords are on the dark web and consequently at risk of being used in credential stuffing; but this generally requires giving the user details to another company. This provides a conundrum: security demands that you give the user details to a dark web monitoring service while compliance with privacy regulations could require that you do not.
A new service from HackNotice solves this problem: Dark Hash Collisions (with no association or connection to the crypto mining organization known as DarkHash). HackNotice can tell a company exactly which of its users have a password known to hackers, without having to know the usernames. With no personal user information being passed to HackNotice, compliance is ensured.
HackNotice has spent the last three years gathering every username and password pair it can find on the dark web. It has about 14 billion pairs. This is growing at many more billions each year as new leaks are exposed.
For its Dark Hash Collisions service, the ‘@’ part of email-based user ID is stripped off, leaving just the pure username. HackNotice has now spent many months of Amazon compute power hashing every one of these usernames with SHA-512. The result is a hash and a password. Only the first half of the hash is important to the process.
The customer does similar, creating SHA-512 hashes of the usernames in its user databases. However, it cuts them in half, and passes only the first half to HackNotice. This is the ‘dark hash’ since there is no possibility of it being reversed into the full username.
Nevertheless, that half hash is enough to match against the full hashes in the HackNotice database. Even though no identifiable personal data leaves the customer, HackNotice now has all it needs to determine what passwords associated with each user are available to hackers on the dark web – and consequently present a risk of credential stuffing attacks.
Of course, common names, such as John Smith, may have many thousands or even millions of different passwords in the HackNotice database. HackNotice doesn’t know it is John Smith, but merely matches the half hash it receives with those in its database – and passes them all back to the customer.
The customer can then determine whether any John Smith in its user database has any of the compromised passwords. If it finds a match, it can either force a password reset or require the user to do so.
At the beginning of this process, huge numbers may be involved. For every half hash the customer passes to HackNotice, it is likely to receive many compromised passwords back. “If a customer gives us six million half-hashes, we’re probably going to send back on the order of a few billion sets of credentials to check,” explains Thomas. “It will depend on the number of passwords we see for each username, but on average we’ll see anywhere from 4 to a dozen passwords for very distinct usernames, and tens of thousands for very common usernames.”
In computing terms, however, it is a simple task for the customer to see if any compromised username/password pairs exist among its own users.
If the company adopts the HackNotice monitoring service, these numbers will rapidly dwindle. HackNotice continues to add new leaks to its database, but will only return new pairings to the customer.
An important aspect of this service is that it can monitor a customer’s at-risk usernames at scale, but never requires the customer to disclose identifiable personal information to a third party. “We want this to be a security service that’s loved by the legal team,” explains Thomas. “Nothing is sent to us that has any privacy concerns, nothing is sent to us that has any compliance concerns. Effectively, what comes in and goes out is all gibberish, but once it gets back into the client’s hands, they have live intelligence.”
That intelligence can be used in various ways. The obvious one is to fortify the company against credential stuffing. But let’s say that a particular user keeps reappearing on the compromised list – the user may have been forced to reset his password, but it has rapidly been re-compromised. This might indicate that the user has very poor password understanding and habits, or it may indicate that there is information stealing malware on the user’s computer.
It is even possible that if a customer gets a large number of hits from the half hashes it submits to HackNotice it could indicate an undetected breach of the customer. Here Thomas warns about jumping to conclusions. “Another possibility is that the user population might have a high correlation with another company, which was actually breached,” he said. For example, a regional bank could have a high user population crossover with a regional telecommunications company, and users might typically reuse credentials with both. So, if the regional telecommunications company were to be breached, the regional bank’s users would be especially at-risk after the data leak. This could also happen with other vendors throughout the supply chain.”
HackNotice also offers a live real-time enquiry option for on demand checks. So, for example, particularly large financial transactions may merit a check on whether the user credentials have been leaked to the dark web. A successful hit doesn’t mean that the user is a fraud, but it does warn the customer that the transaction could be – and that additional anti-fraud measures should be brought into play.
The bottom line is that Dark Hash Collisions can safely detect all a customer’s users that have been compromised and consequently present a risk of credential stuffing. “Compared to current, reactive cybersecurity”, said Thomas, “we can preemptively identify when hackers target clients for the future, stopping attacks before they start.”