When credentials are leaked online, just how quickly does a hacker use them to attempt to access your accounts? That’s one of the questions Bitglass, a cloud access security broker based in Silicon Valley, wanted to answer when it conducted its second annual “Where’s Your Data?” experiment recently.
It turns out the hackers wasted no time.
Bitglass created a complete online personal for an employee of a fictitious bank and pretended that the employee’s Google Drive credentials were stolen via a phishing campaign. Using the credentials, which were leaked onto the Dark Web, hackers attempted to login to multiple services within 24 hours.
“We saw a great deal of activity as that victim’s credentials were shared on the Dark Web and as hackers went and accessed not only the Google Drive, but all of these other accounts, including the victim’s bank account, using those credentials,” Salim Hafid, product manager, Bitglass told the WHIR in an interview. “It was incredibly surprising to us 1) how fast those credentials spread, and 2) how eager hackers were to attempt multiple logins on these different sites.”
The month-long experiment, dubbed Project Cumulus, built on Bitglass’ initial experiment last year which tracked documents and spreadsheets across the Dark Web with the objective being to understand how the data itself spreads when it leaks.
“In this experiment we wanted to take that a step further and really understand how fast documents spread on both the Dark Web and on the surface web but also to understand how fast credentials spread,” Hafid said.
Embedded with the Bitglass watermark, the documents were easily tracked by Bitglass. The company was also able to see who accessed them and when they were accessed.
Bitglass created several accounts on social media using the credentials of the fictitious employee, as well as accounts on different cloud apps and services.
Hafid said the Bitglass team, which was made up of employees from across the organization in research, product and engineering, was surprised at the “sheer number of hackers who were willing to go out of their way to not only try those credentials where they were directed, which was the Google Drive, but on other sites that they didn’t know necessarily were associated with those credentials.”
In the first 24 hours of the experiment, Bitglass saw 5 bank logins and three attempted Google Drive logins.
“It really shows how quickly an organization’s corporate sensitive data can become exposed when those credentials are leaked,” Hafid said.
“A third of the total logins were in the first week. It shows how quickly organizations have to act,” he added.
In the report Bitglass warned against reusing passwords across different accounts, and suggested organizations set up alerts for unusual activity as well as apply data leakage prevention policies to control access.
Key Figures of Project Cumulus:
- 1,400: The number of visits recorded to the Dark Web credentials and the fictitious banks’s web portal
- 94 percent: The percent of hackers who accessed the Google Drive and uncovered the victim’s other online accounts and attempted to login the bank’s web portal
- 12 percent: The percentage of hackers who accessed the Google Drive that attempted to download files with sensitive content
- 68 percent: The percentage of all logins that came from Tor-anonymized IP addresses
- 30: Hackers came from more than 30 countries across six continents