300,000 compromised accounts available on Pastebin: just the tip of cybercrime icebergFebruary 18, 2014
Security incidents, such as the recent Target breach that affected 70 million customers, attract a lot of media attention and unfairly outshine other less “noisy” hacks. We conducted an experiment analyzing Pastebin.com website that may indicate how big the hacking industry is today.
Security incidents, such as the recent Target breach that affected 70 million customers, attract a lot of media attention and unfairly outshine other less “noisy” hacks. It is quite difficult to gather precise statistics on the number of global cyber attacks, the financial losses they cause and the number of people affected because the most sophisticated attacks [and the most harmful in terms of financial damage] quite often remain undetected by their victims, or are being suppressed to avoid public scandal and reputational damage.
At High-Tech Bridge we regularly perform complex computer crime forensics projects for our customers and analyze various illegal activities against web applications as a part of our ImmuniWeb® SaaS offering. In doing so, we gain an understanding of the specific techniques and mitigations for many types of cyber attacks, but we wanted to get a broader picture of how common these attacks are ‘in the wild’ and how much user data is being compromised across the world. To achieve this, we conducted an experiment that may indicate how big the hacking industry is today.
For the experiment we performed a detailed analysis of Pastebin.com website. If you’re not familiar with Pastebin.com, it is commonly used to share text online and is often used by programmers sharing software code, for example. However, we found much more troubling information being shared on the site. The idea of quick and simple online text storage and sharing was noticed by hackers who started using Pastebin to store stolen information. The results of the research impressed even our team and now we are sharing them with you.
Some Facts and Numbers
To minimize the risk of errors in our calculations we only analyzed the information posted by the hackers on Pastebin during the last twelve months, and excluded older records. Pastebin administrators are removing records containing stolen information as quickly as they are able and so, to understand the overall picture more clearly, we used Google’s cache and other tools to see previously removed records. We also excluded from the experiment:
- Minor information leaks [affecting fewer than 100 users]
- Obvious fakes and false claims of hacks
- Copies/duplicates of data from previously reported leaks.
There is a lot of such “garbage” on Pastebin and cleaning up and filtering the information took us some time.
Hackers do not usually use Pastebin to store the full details of their attacks, but to prove that they managed to hack someone or something. This is why the majority of records with stolen personal information usually represent only 0.01% –1% of the total information compromised by the hackers. Nevertheless, even these ‘Proof-of-Concepts’ affected thousands of people and businesses worldwide.
In total we found 311,095 user credentials (login/password pairs) for various services, websites and emails, compromised during the last twelve months. In many cases other personal details, such as credit card numbers, addresses and phone numbers of the victims were also published by the hackers. On average each leak record on Pastebin contained 1,000 user credentials.
Sources of some of the leaks are easily identifiable, as hackers mark the posts with details of who was compromised and when [sometimes even how]. For example hackers post samples of a user database from a website with paid content (e.g. pornography or online cinema) and offer to sell the entire database, leaving their contact details for prospective buyers.
We also found hacktivists posting the personal data and passwords of law enforcement and security agencies in order to prove that they had managed to compromise them.
Other leaks didn’t clearly indicate their origin and so we had to deduce the probable source of the compromised data.
Almost no user accounts had "the most popular passwords" such as ‘12345’ or ‘qwerty’, however the majority of passwords [posted in plaintext] were still too simple (e.g. ‘Hobbit2’ or ‘MyAppleTV’) and prone to dictionary and simple bruteforce attacks. About a half of the posted passwords were encrypted. However taking into consideration quality of the passwords posted in plaintext, we can assume that not many people use strong passwords making encryption almost useless. Many users use a very dangerous practice of same password for several or even all their online accounts. This means that if one of their accounts is hacked, even the most insignificant one, all others will be automatically hacked as well.
Ilia Kolochenko, High-Tech Bridge CEO says: "Analyzing compromised records we can conclude that there are two main sources of information leaks posted on Pastebin: insecure web applications and compromised user machines with installed Trojans. Attacks against web applications and end-users remain one of the easiest to conduct. The problem is that a lot of sensitive information is stored in many different places thanks to the cloud and other new technologies. Today hackers don’t need to perform frontal attacks anymore, they just need to find the least protected machine that can access the data they need and compromise it. Websites quite often have unlimited access to a central database, and it’s enough to find one SQL injection vulnerability that opens the door to compromise the entire database, no matter how secure the database server itself is."
To get a clear picture of what is going on we sorted and classified the data leaks. Below you can see what types of compromised systems are being posted in Pastebin:
|Source of Leakage||Percentage from Total|
|Miscellaneous / Mixed / Unknown||40.6%|
|Online Payment Systems||1.5%|
In some cases it’s difficult to say how exactly the system was breached, but the two main vectors are insecure web applications and attacks against the system administrator or privileged user (who is authorized to access the records).
The table below provides the most popular email systems where victims had their email accounts compromised:
|Most Popular Domain||Percentage from Total|
The most popular social network for stolen user credentials posted on Pastebin is Facebook. This network represented 92% of all compromised social network accounts. Twitter was ranked in second place at 7.8%.
Ilia Kolochenko adds: "300,000 compromised user accounts during the last twelve months is a huge number if we take into consideration that this amount of information is being stored just on one single legitimate website. Moreover, these 300,000 are just a small percentage of the stolen information posted publically by hackers. It’s impossible to make a precise estimate of how many user accounts were really compromised, but I think we can speak about several hundreds of millions at least. People finally need to understand that the Internet is very hostile place, while online service providers need to finally start taking network security seriously."