Security "Bits"

Credentials spread like wildfire in Project Cumulus data experiment

By Salim Hafid | February 17, 2016 at 9:00 AM


We hear about leaked passwords in the press every week and the dangers these leaks pose, particularly to those who reuse passwords across several sites. In Project Cumulus, we set out to understand just how fast credentials spread once they are leaked onto the dark web, what kind of data hackers are looking for, and how many other accounts are compromised in the process.

The Bitglass research team decided a bank employee would be a compelling target. Hackers could easily be convinced to take a small risk and attempt to download bank files in the hope of finding sensitive account information. It's the potential value of the leaked data that makes it so compelling to these underground criminals. Our team created a Google Apps for Work account and a complete online identity for an employee of a fictitious bank and a web portal for the bank. The "phished" credentials were then leaked onto the dark web for all to see and use.

One interesting thing to note about the dark web is the sheer difficulty of finding and accessing illicit sites. Unlike the surface web, there are no readily accessible search engines and in the case of Tor, an anonymization service, all URL's must be accessed through a special browser that routes your traffic through remote servers. The big advantage for hackers is that Tor provides a means of masking your identity, making it appear as if you are accessing a site from another location.

Immediately after leaking the victim's username and password onto the dark web, we observed a spike in activity across both the Google Drive and the (unadvertised) bank web portal that we set up. Within hours, we recorded hundreds of views and several logins. By the end of the first week, hundreds of views were recorded and those who successfully logged into the Google Drive had also attempted to use those credentials elsewhere. In fact, most went to the bank portal shortly after logging into Drive and tried the same credentials there. 
By the end of the experiment, one in ten hackers who viewed the credentials took the next step, logging into the account to see what files they could find. Passwords were changed, encrypted files were cracked, and some even used the Google Apps API to crawl the employee's Google Drive account. 68 percent of logins came from Tor-anonymized IP addresses, a number far greater than what we saw in our previous Where's Your Data Experiment, which indicates many hackers are becoming more security concious. 
We also looked at the locations from where these hackers accessed data and other notable occurences both on the Google Drive and other sites we set up. Check out our report for the full details.

Download the report



see all