The first Google result for the term shows a popular cracking forum with the following image (password seen 447 times in Pwned Passwords): The second interesting observation in that image is the "Spotify Cracker" reference. I've written about combo lists before and they're essentially combinations of email addresses and passwords used to test against services in credential stuffing attacks. This one is interesting for a couple of reasons and the first is the use of the term "combo". Picking one from the list above that hasn't yet been removed shows a page full of examples like this (with a password Pwned Passwords has seen 4 times before): The same address appears over and over in pastes and each time, the same password appears alongside it. I grabbed a random email address out of one of them and checked it on HIBP: These are often removed by Pastebin pretty quickly but looking through some that remain, it's precisely the same pattern as the earlier example. ![]() I just went and looked at the pastes HIBP has collected since the clock ticked over to 2019 and found 20 of them already:ĭigging further, I found over a thousand pastes with "Spotify" in the title. Spotify "breaches" like this are enormously common. ![]() That's it, job done, they're into your account. ![]() If you were using the same password on LinkedIn when they had their data breach as you are on Spotify today and someone grabbed that password from the breach and tried it on Spotify, you can see the problem. The attack is simple but effective due to the prevalence of password reuse. Regular readers will appreciate the mechanics of this already but all those who I point here for whom this is new, this attack simply takes exposed credentials from a data breach and tries them on another site. We're simply seeing the successful result of credential stuffing attacks. If they had a breach then yes, hashes may be cracked, but that's not what's happening here. Then there's the fact that the password is in plain text and I don't know precisely how Spotify store their passwords, but it'd be a very safe bet that by now it's a decent modern-day hashing algorithm. They may not all be that bad (the next one in the list has only been seen twice), but the point is that it's a password that's clearly been seen before and were I to dig back into the source data, there's a good chance it's been seen in a breach alongside that email address too. Just looking at them, they're obviously terrible, but plugging the first one into Pwned Passwords give you a sense of just how terrible it is: No, and the passwords are the very first thing that starts to give it all away. Let's imagine you're the first person on the list you get a notification from HIBP, you check out the paste and see your Hotmail account listed there alongside your Spotify password and the plan you're subscribed to. Here's a perfect example of what I'm talking about, this one eventually triggering an email to me just last week: When an HIBP subscriber's address appears in one of these incidents, they get an automated notification and often, it seems, they then reach out to me. Very often, those addresses are accompanied by other personal information such as passwords. Many years ago, I introduced the concept of pastes to HIBP and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online. Time and time again, I get emails and DMs from people that effectively boil down to this: Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breach
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |