Connect with us

Malware

Exposed Secrets: Unmasking Data Breaches, Stolen Credentials & Illicit Dark Web Bazaars

Published

on

Person typing on a keyboard

Infostealer malware is a significant and often underestimated threat to corporate information security teams. These malicious programs infect computers, steal credentials saved in browsers, along with active session cookies and other data, and send it back to the attacker’s command and control infrastructure. In some cases, the malware even self-terminates after completing its mission.

In this article, we’ll discuss how cybercriminals use stolen credentials to gain unauthorized access to privileged IT infrastructure, leading to data breaches and ransomware attacks. But infostealers aren’t the only threat; leaked credentials from more traditional sources continue to pose substantial risks to organizations.

It’s no secret that people often reuse the same password across multiple applications, creating a perfect opportunity for hackers to brute force their way into software-as-a-service (SaaS) and on-premises applications.

At IT Services, we currently monitor over forty million stealer logs. This number is growing by millions every month, with an expected increase in 2024. Additionally, we monitor over 14 billion leaked credentials found in data dumps across the dark web.

This unique perspective allows us to see firsthand how threat actors acquire, distribute, and use leaked credentials.

Understanding Leaked Credentials

To better comprehend leaked credentials, we can categorize them into tiers based on the method of leakage and the risk they pose to organizations. This approach, pioneered by Jason Haddix, helps security professionals clearly communicate credential leak risks to managers and corporate executives.

Tier 1 Leaked Credentials

Tier 1 leaked credentials result from third-party application or service breaches. When these breaches occur, all users of the affected service have their passwords compromised and distributed in a data dump on the dark web. This is the most common type of leaked credential.

For example, imagine a fictional corporation called Scatterholt with user logins for hundreds of thousands of consumers. If attackers breach Scatterholt and access the identity and access management system, they could steal these credentials and leak them onto the dark web.

Scatterholt could force a password reset for all users, but it’s likely that many users have reused the same password across other services. This leak gives threat actors the opportunity to use brute force techniques to gain access to other applications that share the same password.

Defending Against Tier 1 Leaked Credentials

Organizations can employ several well-researched defenses to reduce risk. First and foremost: monitor a leaked credentials database for corporate employee emails. This single action can make a massive difference as threat actors deliberately target passwords associated with corporate email addresses to facilitate data breaches.

Secondly, require users to routinely reset passwords on a schedule, ensuring that if a specific password is breached, they will have already rotated other corporate credentials.

Finally, we recommend using a password manager with a policy requiring employees to randomize passwords for various applications and store them securely, reducing the risk of employees making only minor changes to passwords.

The Special Case of Combolists

Combolists are collections of credential pairs, organized by service or geographically, used by cybercriminals in combination with brute force tools to attempt to gain access to various services.

Screenshot of combolist
Screenshot of combolist
Source: IT Services

These credentials often come from previous known breaches, stealer logs, or are entirely fabricated. The exact source is never entirely clear, but the sheer volume of credentials available through combolists, combined with frequent password reuse, makes them a significant attack vector.

Tier 2 Leaked Credentials

Tier 2 leaked credentials pose a unique risk to companies. These credentials are harvested directly from users through infostealer malware that steals all passwords saved in the browser.

We consider tier 2 leaked credentials to be of significantly increased risk to both the company and the user for the following reasons:

  • A single stealer log will contain all of the credentials the user saved in their browser. This creates a perfect opportunity for threat actors to socially engineer the victim, the IT help desk, or even the company using the victim’s information.
  • These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins. Threat actors have an enormous advantage when they can see dozens of password variations that the user uses.
  • These logs often contain form-fill data with answers to secret questions, which can be effectively used to bypass websites with secret questions.

Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Source: IT Services

Tier 3 Leaked Credentials

This tier of leaks, also from stealer logs, poses an extreme risk to organizations. Fresh stealer logs often contain active session cookies, which threat actors can easily use for session hijacking attacks. In these attacks, they impersonate the victim and potentially bypass two-factor authentication (2FA) and multi-factor authentication (MFA) controls.

Discovering a fresh stealer log with corporate credentials should immediately prompt an incident investigation, as it’s highly likely that the passwords are working and that threat actors could directly access corporate resources.

Screenshot from Telegram of a malware store
Screenshot from Telegram of a malware store
Source: IT Services

Defending Against Tier 3 Leaked Credentials

Limit the time-to-live (TTL) for corporate applications to reduce the risk of session cookies remaining valid if distributed as a result of an infostealer infection.

Multi-Factor Authentication Isn’t a Silver Bullet

Not monitoring leaked credentials likely means that many of your employees use single-factor authentication, as their passwords may have been exposed. Many people believe that enabling 2FA is sufficient protection against stolen credentials, but the reality is that threat actors are aware of the obstacle 2FA presents and have developed techniques to overcome it.

Whether through social engineering of employees, using 2FA bots to capture one-time codes/passwords from victims, or even SIM-swapping, there are many ways to bypass MFA controls that are actively used in the wild.

The best defense against these types of attacks involves using authenticator apps, which feature temporary rotating codes instead of one-time passwords received via email or SMS. These applications are usually more secure and ensure that the user controls a second device to some extent.

Concerned about Credentials? We Can Help

IT Services monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.

Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.

Check out our free trial.

Sponsored and written by IT Services.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Malware

31 Million Email Addresses Alarmingly Exposed: A Massive Data Breach Uncovered

Discover the details of the Neiman Marcus data breach, where 31 million email addresses were exposed. Learn about the company’s response, the potential risks, and tips for protecting your data. Stay informed on the latest cybersecurity news with Bleeping Computer.

Published

on

If you’ve ever shopped at the American luxury retailer and department store chain Neiman Marcus, I’ve got some bad news for you. A data breach that took place in May 2024 has exposed more than 31 million customer email addresses, according to cybersecurity expert Troy Hunt, who analyzed the stolen data.

This is a big deal, especially considering that Neiman Marcus initially reported to the Office of the Maine Attorney General that the breach had only impacted 64,472 people. But after digging deeper, Hunt discovered 30 million unique email addresses in the stolen data and confirmed with multiple people that their information was indeed legitimate.

That’s a massive discrepancy, and it means that millions of people have had their personal information compromised.

The stolen data includes names, contact information (such as email and postal addresses, and phone numbers), dates of birth, gift card info, transaction data, partial credit card numbers (without expiration dates or CVVs), Social Security numbers, and employee identification numbers.

So, what happened? Enter the Snowflake data theft attack

Neiman Marcus has linked the incident to the so-called Snowflake data theft attacks. In June 2024, the company announced that an unauthorized party had gained access to a cloud database platform used by Neiman Marcus and provided by a third party, Snowflake.

This disclosure came after a threat actor using the handle “Sp1d3r” put Neiman Marcus’ data up for sale on a hacking forum, asking for $150,000 in exchange for 12 million gift card numbers, 70 million transactions with full customer details, and 6 billion rows of customer shopping records, store information, and employee data.

It’s worth noting that the threat actor initially claimed that Neiman Marcus had refused to pay an extortion demand. However, the forum post and the data sample were later taken down, suggesting that the company may have begun negotiating.

An investigation conducted by SnowFlake, Mandiant, and CrowdStrike revealed that a financially motivated group known as UNC5537 was responsible for the attacks. Using stolen customer credentials, they targeted at least 165 organizations that had failed to configure multi-factor authentication (MFA) protection on their SnowFlake accounts. Other recent breaches linked to these attacks include Ticketmaster, Santander, Pure Storage, QuoteWizard/LendingTree, Advance Auto Parts, and Los Angeles Unified.

What can you do to protect yourself?

First and foremost, if you’re a Neiman Marcus customer, you need to be vigilant. Keep an eye on your accounts for any suspicious activity, and consider changing your passwords and enabling multi-factor authentication wherever possible.

But this isn’t just about Neiman Marcus. As an IT Services expert, I can’t emphasize enough how important it is to take cybersecurity seriously. Always use strong, unique passwords, enable multi-factor authentication, and stay informed about the latest threats and best practices.

Remember, cybersecurity is a shared responsibility. Let’s all do our part to keep our personal information and the digital world safe.

And if you want to learn more about cybersecurity, don’t hesitate to reach out to us. We’re here to help you navigate the ever-changing landscape of threats and best practices. Stay safe out there!

Continue Reading

Malware

Massive Roblox Vendor Data Breach: Dev Conference Attendee Info Shockingly Exposed

A Roblox vendor data breach has exposed personal information of Roblox Developers Conference attendees. The breach, discovered on November 8, exposed names, billing addresses, and order details of customers, but no financial data. Roblox has since terminated the vendor’s contract and is taking steps to prevent future breaches.

Published

on

Imagine you’re a dedicated developer, excited to attend a prestigious conference to connect with peers and learn about innovative tools in your field. You register, book your flight, and eagerly await the event. Now imagine the disappointment and concern you’d feel if you discovered your personal information had been exposed due to a data breach. Unfortunately, this scenario recently became reality for attendees of the Roblox Developer Conference.

Roblox, a wildly popular online gaming and game creation platform, boasts over 200 million active users, many of whom are young developers eager to design, create, and share games with their community. Each year, the company holds a Roblox Developer Conference (RDC) to provide networking opportunities and learning experiences for these talented individuals.

However, a notice published recently revealed that FNTech, the vendor responsible for handling registration for the conference, suffered a data breach. Unauthorized access to its systems led to the exposure of personal information belonging to attendees of the 2022, 2023, and 2024 RDC events.

What was exposed, and who is affected?

The data breach resulted in the theft of attendees’ full names, email addresses, and IP addresses. According to the data breach notification service Have I Been Pwned (HIBP), 10,386 unique email addresses were exposed. Of these, 63% (6,500) had not been exposed in previous breaches.

Worryingly, this isn’t the first time Roblox developers have been targeted. In July 2023, HIBP added information about nearly 4,000 Roblox developer accounts to its database. These individuals, also RDC attendees, had their data leaked on a hacker forum following a 2021 breach that impacted attendees from 2017 to 2020.

Understanding the risks and taking action

While the recent breach doesn’t directly put Roblox developers in immediate danger, it does increase the likelihood of targeted phishing attacks. Armed with their personal information, cybercriminals could easily craft convincing messages designed to trick developers into revealing even more sensitive data.

In response to the breach, Roblox has taken steps to prevent similar incidents in the future. However, this isn’t the first time the platform and its users have faced security threats. In November 2022, over 200,000 users installed a malicious Chrome extension called SearchBlox, which contained code designed to steal Roblox account credentials.

Don’t let this happen to you!

As an IT Services company specializing in cybersecurity, we understand how devastating data breaches can be, not only to businesses but also to individuals like the RDC attendees. Don’t leave your security to chance—reach out to us for expert advice and support to keep your data safe and secure.

Together, we can help prevent cyberattacks and protect your personal information from falling into the wrong hands. And remember, always stay vigilant and be cautious of any suspicious emails or messages, no matter how convincing they may seem.

Contact us today to learn more about our cybersecurity services, and keep coming back for the latest news and insights in the world of online safety.

Continue Reading

Malware

Shopify Debunks Hacking Claims, Exposes Stolen Data Connection to Third-Party App

Shopify has denied being hacked after suspicious emails were sent to customers, blaming a third-party app for the data breach. The firm’s investigation revealed that the app had accessed and stolen data from Shopify’s API, but the incident was not a security breach of the platform itself.

Published

on

Shopify, the popular e-commerce platform, has recently denied experiencing a data breach after a threat actor started selling customer data that they claimed to have stolen from Shopify’s network. But, don’t worry, it’s not as bad as it seems.

What Shopify had to say

According to Shopify, the company’s systems have not suffered a security incident. They told us, “The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.

This statement comes after a threat actor, known as ‘888’, began selling data they claimed was stolen from Shopify back in 2024.

Selling alleged Shopify data on a hacking forum
Selling alleged Shopify data on a hacking forum
Source: IT Services

What’s in the data?

The threat actor shared data samples that include a person’s Shopify ID, first name, last name, email, mobile number, order count, total spent, email subscription, email subscription date, SMS subscription, and SMS subscription date. While this information is significant, it’s important to remember that Shopify itself wasn’t directly breached.

Unfortunately, Shopify did not provide any further information about the app from which this customer’s data was stolen.

A history of data leaks

The threat actor, 888, has been linked to previous data sales or leaks allegedly involving companies like Credit Suisse, Shell, Heineken, Accenture India, and Unicef.

It’s also worth noting that in 2020, Shopify disclosed that two “rogue members” of its support team accessed customer transactional records of about 200 merchants. While this is concerning, it’s essential to recognize the proactive steps the company has taken to address security issues.


Stay informed and protect your data

While this particular incident doesn’t seem to be a direct breach of Shopify’s systems, it’s still a reminder to stay vigilant when it comes to our data. Make sure to stay informed about potential threats and take the necessary steps to protect your personal information.

If you’re interested in learning more about cybersecurity and how to keep your data safe, don’t hesitate to contact us and keep coming back for more valuable information.

Continue Reading

Trending