From data breaches to account compromise: how hackers use data leaks to hijack accounts

Tue, 17th Oct 2023

By Bogdan Botezatu, Director of Threat Research & Reporting, Bitdefender

Passwords have played a key role in security since long before computers were invented. The concept of a password dates back to ancient times, when people would use secret words or phrases to gain access to exclusive places or secret knowledge.

In the early days of computers, passwords were used to control access to mainframe systems and terminals. The passwords were often simple and easy to remember because computer systems were not as widespread or connected as they are today, and the risks weren't as omnipresent.

With the rise of the internet, passwords became crucial for protecting personal information. Fast-forward to today: passwords are everywhere. They often form the only barrier between the private and public realms of our complex digital existence. Lured by the wealth of information on the other side of that barrier, cybercriminals go to great lengths to capture credentials for online services.

Over the years, we have repeatedly changed the way we use and store passwords. Plaintext storage of passwords was the earliest - and least secure - implementation. Anyone with access to a database could see the passwords for each account. No matter how strong the password is, an attacker with access to the database could use the credentials right away. Here's how the user database would look in this scenario (this is dummy data seeded automatically, and any resemblance to real identities is purely coincidental):

|id|name|username|password|created_at|updated_at|
|:----|:----|:----|:----|:----|:----|
|1|Kimberley Albert|kimberleyalbert8704@example.tld|nthvbyfnjh|25.02.2023 01:07|25.02.2023 01:07|
|2|Reed Curry|reedcurry2236@example.tld|2wCmQRWR|10.06.2023 08:27|10.06.2023 08:27|
|3|Quynn Lancaster|quynnlancaster6941@example.tld|7Umcsj8P|16.09.2022 17:23|16.09.2022 17:23|
|4|Tamara Salinas|tamarasalinas5017@example.tld|tTasPMA6|23.09.2022 10:10|23.09.2022 10:10|
|5|Upton Rowland|uptonrowland@example.tld|h8ALHLUD|12.07.2024 08:01|12.07.2024 08:01|
|6|Hyatt Conner|hyattconner@example.tld|hshzCL7J|09.05.2023 11:39|09.05.2023 11:39|
|7|Remedios Brady|remediosbrady@example.tld|fqFrFx7X|13.09.2023 07:11|13.09.2023 07:11|
|8|Jillian Gay|jilliangay@example.tld|NNCfZM2j|05.01.2024 11:32|05.01.2024 11:32|
|9|Chancellor Small|chancellorsmall5289@example.tld|vCUkC5bP|28.02.2024 16:35|28.02.2024 16:35|
|10|Samuel Pitts|samuelpitts@example.tld|CX4KTCrZ|28.09.2022 18:08|28.09.2022 18:08|

If this method of storing passwords seems wrong to you, that's because it is. Testament to that is [the RockYou hack] in 2009 when cyber-criminals compromised 32 million accounts by dumping the company's database hosting plaintext credentials. These credentials are now part of the public domain, and many password-cracking services use them as a fundamental helper. More on that later in the article, we promise.

Despite all that, you'd be surprised to learn that some online services **still** store passwords in plain text and even e-mail those passwords to customers if they forget them.

Best security practices called for a revamp.

Rather than storing passwords in plain text, online services started "hashing" passwords before storing them. Hashing is a one-way transformation from plain text into a fixed number of characters as per the algorithm of choice. No matter how many characters the password has, the hash is always the same length - it can even be shorter than the raw password. Because it's technically a one-way function, it is impossible to get the raw password again. The hashed password can be stored in the database, so when a user logs in, their raw password is hashed with the same algorithm, and hashes are compared. If they match, you are in. If not, a login error is displayed.

|id|name|username|md5|created_at|updated_at|
|:----|:----|:----|:----|:----|:----|
|1|Kimberley Albert|kimberleyalbert8704@example.tld|1a06318cde287bd281034c7ff0c00d9a|25.02.2023 01:07|25.02.2023 01:07|
|2|Reed Curry|reedcurry2236@example.tld|69d6d73689958de3d3c37cf08569239e|10.06.2023 08:27|10.06.2023 08:27|
|3|Quynn Lancaster|quynnlancaster6941@example.tld|2c064579d18cc80474c0c5db0e3941ae|16.09.2022 17:23|16.09.2022 17:23|
|4|Tamara Salinas|tamarasalinas5017@example.tld|0ae9f6a7e0b2a364a3e97aa3303feb14|23.09.2022 10:10|23.09.2022 10:10|
|5|Upton Rowland|uptonrowland@example.tld|9ce1d881af8e2729f0b6a86c3a62d411|12.07.2024 08:01|12.07.2024 08:01|
|6|Hyatt Conner|hyattconner@example.tld|d6cd321f215bd1debc5772d440b423f7|09.05.2023 11:39|09.05.2023 11:39|
|7|Remedios Brady|remediosbrady@example.tld|984705949acbad74f0e374c72fc633ec|13.09.2023 07:11|13.09.2023 07:11|
|8|Jillian Gay|jilliangay@example.tld|d60c082c6ee7c3f9e3afc32869cdfcba|05.01.2024 11:32|05.01.2024 11:32|
|9|Chancellor Small|chancellorsmall5289@example.tld|ef72478a496367e6b8a0a8223effa8af|28.02.2024 16:35|28.02.2024 16:35|
|10|Samuel Pitts|samuelpitts@example.tld|ad891459bf8577e488bc52cfea97f46b|28.09.2022 18:08|28.09.2022 18:08|

If you paid attention to the transformations above, you might have noticed that the raw `nthvbyfnjh` password was transformed into `1a06318cde287bd281034c7ff0c00d9a` using the MD5 hashing algorithm (yes, we know that MD5 and SHA-1 hashing algorithms have been replaced with stronger ones, but this makes no real difference in the long run). This would prevent anyone with access to the database (like database administrators) or third parties (read hackers who just dumped a copy of the database) from getting the raw password associated with a specific user.

While hashing passwords would indeed prevent a third party from using the database contents to log in to victims' accounts, hackers have a workaround to recover the raw password. We mentioned that, unlike encryption, hashing is a one-way function, and it's impossible to recover the original plaintext. But this does not mean that once hashed, passwords are safe. Password crackers can still recover the vast majority of passwords by either brute-forcing them or running dictionary attacks.

Brute-force attacks involve running every possible character combination through the hashing algorithm and comparing the resulting hashes with the stolen hash. Once they match, the password is found. This approach is so common that community-driven databases of precomputed hashes and corresponding plaintext passwords are maintained and distributed for free under the "rainbow tables" name. These tables make cracking a known hash as simple as looking it up.

Dictionary attacks are even simpler, as they are just a subset of the character combinations found in rainbow tables. Dictionaries have precomputed hashes for common or likely passwords (English words and their misspelt versions included).

Let's see how long it would take us to crack AKimberley's hash above and reveal her raw password. We'll use the hashcat hash cracking tool with those 30+ million credentials (rockyou.txt) leaked almost 15 years ago:

[GIF placeholder]

Just as expected, cracking the MD5 hashes took several seconds on hardware that is actually lower specced than your mobile phone.

**Salt makes everything better**

Hashing algorithms are designed to be fast and effective, but the "rainbow table attack" described earlier helps an attacker precompute the hashes for a large number of possible inputs, and it makes the rest of the attack a simple matter of looking up the original input based on the hash value.

This is where salt comes in. A salt is a random and unique value added to the input data before hashing. The salt is then stored along with the hashed value. The purpose of the salt is to make each hash unique, even if the original data is the same.

When a user creates an account or sets up a password, a random salt is generated and combined with their password. The salted password is then hashed and stored in the system. The salt is also stored so it can be used later during the login process.

Assuming that Kimberley's password was salted before storage, the operations order would be:

Kimberley selects `nthvbyfnjh` as her password. The system automatically generates a unique `VS5Z5xrP` salt. The system then concatenates the two strings as `nthvbyfnjhVS5Z5xrP` before computing the new string's MD5 hash: `5bd79353331a663bb7c6774a2f07fe2e`. Using salt, even if two users have the same password, their stored hashes will differ because of the unique salts. This thwarts the use of precomputed hash tables, as the attacker would need to generate separate tables for each salt value, which takes up much more time and resources.

During the login process, when a user enters their password, the stored salt is retrieved from the system. The salt is then combined with the password entered, and the result is hashed. This newly generated hash is compared to the stored hash. If they match, the password is considered correct.

**Fixing a world of broken passwords**

Data breaches are rampant. As of the moment of writing, more than **12 billion accounts** are known to have been breached and traded on specialized forums. And it's even worse if you take into account that victims often reuse the same username and password combination for multiple accounts. In this case, a savvy cyber-criminal would carry out a credential stuffing attack, trying to log in to other major services the victim might have signed up with.

To address these security issues, companies and experts began promoting stronger password practices. They advised using a combination of uppercase and lowercase letters, numbers, and special characters to create complex, unique passwords. They also recommended avoiding common words or easily guessable information like birthdays or pet names.

Despite these advancements, the challenge remains that people often reuse passwords for multiple accounts or choose weak and easily guessable ones. This places their online security at risk. Therefore, it's important to follow good password practices, such as using unique and strong passwords, regularly rotating them, and enabling additional security measures like 2FA or MFA when available. These methods require users to provide an additional form of verification, such as a temporary code sent to their mobile devices, in addition to the password. This adds an extra layer of protection against unauthorized access.

But that's easier said than done. By sticking to these guidelines, users would have to create and memorize dozens of strong, unique passwords for every account they have. They also would have to rotate passwords that get compromised in a data breach. A combination of [password manager] and [digital identity protection software] helps a lot.

Passwords have evolved alongside technology and the increasing need for secure access to digital services. The focus is now on creating stronger and more secure authentication methods to protect personal information in the ever-changing digital landscape.