Leaked Credentials

risks of leaked information information leaked in data breaches and shared on the criminal underground can have various impacts credentials leaked credentials (username and password combinations) pose the highest immediate risks to individuals regrouped in collections and combolists and exchanged on underground forums, they are used by malicious actors in https //flare io/learn/resources/blog/credential stuffing attacks and cra/ attacks the impacts can be broadly divided into two categories customer account takeovers and employee account takeovers when using a credential stuffing approach to access customer accounts, a malicious actor gains access to the account of the user this account often contains personal information on the user such as a phone number or address that can be used as described below in banking, retail or e commerce cases, the account also generally gives access to the actor to funds or points, which he can fraudulently withdraw or use for products or services this leads to a loss of funds for the company and increases the volume of support calls from users when the attack is used for employees' credentials, the consequences can be much worse with the access to a vpn or any network connection, it effectively acts as an initial access ( http //attack mitre org/techniques/t1078/ ) that a malicious actor can then use to pivot internally and escalate privileges simply by accessing an email inbox, the actor can then impersonate the employee and commit, among many others, http //terranovasecurity com/what is ceo fraud/ more information around leaked credentials and account takeover can be found in our webinar on http //flare io/resource center/blog/webinar exploring leaked credentials 2/ name or surname with the increasing usage of digital tools and social media, people's names are generally widely available and the only new information from a data leak is the relation between a name and a service, for example between john smith and myfitnesspal com the information can be used to target the individual, john, with more targeted phishing if combined with contact information such as an email address or a phone number although unfortunate, there are no concrete actions that need to be taken in the case of a leaked name or surname email address a leaked email address, without any associated password, has a limited impact the main use for this data by malicious actors will be to include it in a list used for massive email sending (spam) or consumer phishing in the case of a corporate address, it may also be used for targeted phishing against the organization the information by itself has limited use, but can be combined with any other information to build a more complete profile of an individual phone number a leaked phone number has limited impact, but may increase the chance that the individual will receive automated phishing calls and voice phishing (vishing) the goal of these calls is to obtain more information from the person to eventually commit fraud or a full identity theft address an address is a key part of an individual's identity when leaked publicly, it can help a malicious actor impersonate the individual, especially when combined with other information such as a name or a date of birth, leading to identity theft in certain cases, when an identity is stolen to open credit cards, a malicious actor will also attempt to intercept the mail going to this address to collect the fraudulently requested credit card and start using it date of birth the date of birth is often asked by financial institutions and the government to support identification a leaked date of birth, combined with other personal information, will help a malicious actor move towards a full identity theft social security number / social insurance number the american social security number (ssn) and canadian social insurance number (sin) are key information that is assumed to be kept confidential by individuals and can sometimes be used almost by itself, along with the name of an individual, to validate his identity if someone's ssn/sin is leaked, it is recommended to take measures outlined below to protect from identity theft as soon as possible other information other personal information, such as a place or birth, a favorite sport, the brand of a first car or a mother's maiden name can be used to guess passwords and answers to security questions although they don't present a risk by themselves individuals should be aware of what information is leaked, and ensure it is not used in any authentication process (especially for financial or government access) consequences bank account fraud when a malicious actor successfully accesses a victim's bank account, he can perform different steps to execute a cash out , in which he extracts the funds and leaves the victim with an empty account when this happens, the fraud is generally covered by the bank the the american consumer financial protection bureau provides http //www consumerfinance gov/ask cfpb/how do i get my money back after i discovered an unauthorized transaction or money missing from my bank account en 1017/ , as does the http //www antifraudcentre centreantifraude ca/scams fraudes/victim victime eng htm identity theft identity theft occurs when a malicious actor has collected enough personal information around an individual to impersonate him and commit fraudulent acts the most common ones relate to accessing credit, in which case the victim gets surprised by new credit cards, loans or mortgages that were open in their name but where the actual funds were transferred to the malicious actor the government of canada provides more information around http //www ic gc ca/eic/site/oca bc nsf/eng/ca03025 html and equifax provides some guidance around what it is and what to do if it happens in the united states and canada, the current best practice when an individual is at risk of being a victim of identity theft following the leak of personal information is to request a credit freeze from the large credit agencies equifax, transunion and experian (us only) other fraud and scams a number of other frauds and scams can occur when personal information is leaked, as http //www usa gov/common scams frauds flare importing process leaked credentials databases are imported in flare in the following way we follow major news platforms for information about breaches, and monitor popular criminal underground sources where actors discuss, trade and sell leaked credential databases we identify and collect data that is accessible without involving any financial transaction if the database contains username and password combinations, it will be imported in flare additionally, every document collected anywhere in our system, such as github code files or forum conversations, goes through a data extractor that looks for credentials if any are found, they are stored in the leaked credential database sources named breaches, collections and combolists our intelligence team continuously monitors the criminal underground looking for leaked credential databases exchanged on forums and markets we often look at and include breach documentation from http //haveibeenpwned com/ there are a number of potential areas where credentials are found if credentials are shared as part of a clear and defined file coming from a single breached organization , the source name will include the year and the victim website, such as 2022 mysite com if credentials are shared as a collection a large set of breaches brought together in a single set of files we will name them with the name of the collection which is used by malicious actors on the criminal underground, such as collection 2 5 if credentials are shared as a combolist a carefully selected set of valuable credentials brought together by malicious actors specifically to execute credential stuffing attacks (more details https //flare io/learn/resources/blog/combo lists the dark web understanding leaked credentials/ ) leaked credential event will be listed under the 'combolists' source these pose a higher risk to an organization as they are specifically made for offensive use cases if we find leaked credentials that are difficult or impossible to track to a specific source, we will aggregate them into sources names yyyy varia we also parse stealer logs to extract credentials when they are in the text these would be aggregated in sources named yyyy botnet data ulps (url\ login\ password) ulps are credential records formatted as url\ login\ password are typically extracted by malicious actors from stealer logs and then redistributed extensively across cybercrime platforms they differ from traditional data breach records rather than coming from a single compromised database, ulps are aggregated and reshared, primarily via telegram channels and dark web forums, often in bulk text files or password protected archives ulps are closely related to combolists, which follow a similar format and distribution pattern flare classifies ingested files into one of three categories stealer logs, ulps, or combolists because ulps are derived from stealer log data and broadly redistributed, they represent a wide reaching source of exposed credentials, including cases where credentials may still be active at the time of exposure note not all credentials in a ulp file have urls associated with them most data points in a ulp file will have urls associated with them, but not necessarily all nevertheless, we still list the credentials that are missing the url as we believe it is still valuable information as it demonstrated a leak phishing kits we automatically extract credentials found in telegram phishing messages gathered from telegram phishing backends these credentials will appear in the credentials browser under the source phishing kits credentials ( phishing kits credentials ) each credential entry will link back to the original telegram message, giving clear visibility into where the data came from not finding a specific credential? at this point in time, flare does not provide a complete list of breaches imported if you're looking for a specific credential and it doesn't show up in flare, it may be for the following reasons the breach did not include username/password combination you can check this on the description on the http //haveibeenpwned com/pwnedwebsites we only import breaches that contain email addresses and passwords the leaked database is not available without a financial transaction, and our team has not gained access to it we are in the process of importing it, or we've missed it for one reason or another if that's the case, contact us by reaching out to your flare systems contact related articles