There are 24.6 billion pairs of credentials for sale on dark web

Plus: Citrix ASM has some really bad bugs, and more

In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

With all those credentials available for sale online, account takeover attacks have proliferated as well, the report said. Seventy-five percent of the passwords for sale online were not unique, noted Digital Shadows, which said everyone needs to be wary.

Proactive account protection, consistent application of good authentication habits, and awareness of one's organizational digital footprint are necessary to protect against account takeover attacks, the study found. Individuals, the report said, should "use multi-factor authentication, password managers, and complex, unique passwords."

Breach at Kaiser Permanente nets 70,000 patient's data

Non-profit healthcare firm Kaiser Permanente has informed 69,589 patients of an April data breach that compromised their records. Names, medical record numbers, dates, and lab test result information was potentially stolen.

The theft is only classified as a "maybe" [PDF] because of how the breach happened: An employee's email was hacked. "We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility," Kaiser said in its notification. 

The access was reportedly detected and terminated within hours, and Kaiser said it has no evidence of any identity theft or misuse of protected health information. Sensitive information like Social Security Numbers or credit card information was not included.

Since Kaiser Permanente was breached in April, which it reported to the department of Health and Human Services in June, there have been 13 other reports of healthcare security break-ins. Only one managed to top Kaiser's – a breach at Texas Tech University Health Sciences Center that affected 1,290,104 people.  

Citrix vulnerability lets remote user reset admin passwords

Virtualization company Citrix has reported a serious pair of bugs in its Application Delivery Management (ADM) software that could lead to "corruption of the system."

More specifically, the pair of bugs can enable "​​the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials," Citrix said

The second bug allows an attacker to disrupt the Application Delivery Management service, preventing new licenses from being issued or existing ones from being renewed.

It's unclear if the exploitation of the first is connected to the second, or if the two are simply being patched at the same time. 

Citrix said that both bugs affect all supported versions of Citrix ADM server and Citrix ADM agent 13.1 and 13.0, the only supported versions. Builds ADM 13.1-21.53 and ADM 13.0-85.19 contain patches that resolve the issues. Citrix ADM service, the cloud-hosted version of ADM, has been automatically updated and no customer action is required.

In addition to updating to the latest version, Citrix also recommends customers segment network traffic to the Citrix ADM, either physically or logically, to reduce attack surface.

Bugcrowd bans user for following instructions

Bug bounty platform Bugcrowd founder and CTO Casey John Ellis has admitted his company's mistake in banning security researcher Soatok from its platform for, by all accounts, doing exactly what they told him to do. 

Soatok, who by Bugcrowd's own admission has earned more than $2,500 from reporting bugs on the platform, got some blowback from Bugcrowd support after finding a cryptographic bug in the JavaScript BigNumber (JSBN) library. 

A submission Soatok made was deemed invalid for not including an example of exploit code, which Soatok maintains was left out because cryptographic exploits are complicated to develop. 

Soatok ultimately contacted Xfinity, which handles JSBN bugs under the scope of its Bugcrowd open-source bounty program, and was told to contact JSBN's maintainers through their GitHub repository, which he did. Because the bug had already been reported on Bugcrowd, Soatok's account was suspended for violating Bugcrowd's code of conduct.

The incident picked up traction on Twitter, triggering Ellis to step in. "Bugcrowd definitely didn't do its best work here, and we're aware," Ellis tweeted. "I've been speaking with Soatok to understand better and apologize." 

Soatok said that Ellis "wasn't blowing smoke" with his tweet. "He apologized up front and asserted that this escalation should not have ended the way it did, while promising an investigation into what went wrong, how to resolve it, and how to avoid it in the future," Soatok said. 

Soatok said Bugcrowd's senior director of security ops, Michael Skelton, told him that Bugcrowd is prioritizing updates to its SecOps runbooks for cryptography, and are also working on filling a knowledge gap in the field. 

Still, Soatok said he's unlikely to return to Bugcrowd. "Trust is easy to lose and difficult to regain. Information security as an industry has to understand this truth better than users, or we will fail them," Soatok said. ® 

Broader topics

Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Billion-record stolen Chinese database for sale on breach forum
    Appears to have leaked from a cloud thanks to sloppy coding

    A threat actor has taken to a forum for news and discussion of data breaches with an offer to sell what they assert is a database containing records of over a billion Chinese civilians – allegedly stolen from the Shanghai Police.

    Over the weekend, reports started to surface of a post to a forum at The post makes the following claim:

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading

Biting the hand that feeds IT © 1998–2022