Wapack Labs routinely collects data containing breached credentials that have been posted to the Internet, either privately, or publicly on sites such as Pastebin and other sites. In the past 6 months, analysts have observed 6 unique accounts owned by two major league sports teams in our collections. Both of these teams operate in the same geographical area. Five of the six breached credentials are for Major League Baseball (MLB) employees and one set of credentials is for a National Football League (NFL) employee. Credentials were posted in separate files with the following names:
- Major League Baseball:
- %TEMP%192k us hq combo private premium.txt
- USA_normalized_1500000.txt
- DropMeFiles_t46Jt.zip
- Untitled (2 Pastebin Posts)
- National Football League
- 1_0.txt
- 1_0.txt
Three sets of MLB employee credentials were observed in our breach data collections, however, two of the breached employee emails were part of our Pastebin collections. This indicates the personal credentials were posted publicly on Pastebin. Upon further analysis, one of the Pastebin posts has been taken down, but one set of MLB credentials is still publicly available. The most recent credentials, which are still visible, were posted to an untitled Pastebin on 9 August 2019.
In the instance of the MLB team, our analysts observed credentials for a Minor League Field Coordinator, but were unable to identify the other MLB employees’ positions based off of their email addresses. The email linked to the NFL team is the email address for the Director of Investment at their football stadium.
Analysts also observed a much stronger password in the case of the NFL employee, indicating the password policy for the MLB employees should require stronger passwords. Enforcing a multi-factor authentication policy would assist in preventing stolen credentials from being used successfully and maliciously. Changing passwords on a rotating schedule is another important network practice to put in place so that even if credentials are stolen, they will expire at some point.
All breach data was discovered in RedXRay profiles for each major league team. With a paid profile, clients can get notifications immediately so that once breach credentials are exposed (either publicly or privately) they can respond effectively. This limits the time a cyber attacker has to use stolen credentials and would strengthen the overall security stance of your company.
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
