The US federal authorities will soon begin sharing hashes of compromised passwords found in the course of its cybercrime investigations with Have I Been Pwned (HIBP), the data breach notification service. The password hashes will contribute to Pwned Passwords, a service used to help warn users against reusing passwords that have been leaked in data breaches, says Troy Hunt, the Australian developer who created Have I Been Pwned
The stolen and leaked data the FBI comes across in investigations, which usually would be kept secret, can now be utilized for active defense against account takeovers. It will help prevent bad outcomes stemming from the misuse of data obtained in data breaches. "The folks I've spoken to there [the FBI] have been absolutely fantastic," Hunt says. "They are really dedicated passionate people wanting to make a positive difference."
It is a sign that HIBP is increasingly being viewed as a critical outreach partner. It also shows an evolving view that in addition to arrests and shutdowns, remediation is an important component of fighting cybercrime and fraud.
In May 2021, the FBI shared 4.3 million email addresses that had been harvested by the Emotet botnet, which was shut down in a global law enforcement action. It marked the first time the FBI had reached out to HIBP with help in notifying victims. HIBP has also seen wider take-up by governments. Seventeen governments are now using HIBP service to get alerts when email addresses related to their domains are ensnared in a breach. The latest announced is Trinidad and Tobago.
Pwned Passwords now contains 613 million hashes of compromised passwords. It is available as a web service, which is now generating 1 billion queries per month, Hunt says. It is also available as a downloadable 12GB list that can be integrated into organizations' own systems or other software. For example, the 1Password password manager uses Pwned Passwords within its application to alert users to reused passwords. Another service, Safepass.me, uses the NTLM hashes within Pwned Passwords to enable organizations to scan the NTLM hashes in their own Active Directory systems to check for reuse.
The FBI will supply compromised passwords as SHA-1 and NTLM hashes, Hunt says. Pwned Passwords only store hashes and not plain-text passwords. Hashes are created by running a plain-text password through an algorithm.
The password hashes are not linked to email addresses. Also, Pwned Passwords does not identify which breach the hash appeared in but rather just how many times the password turned up in HIBP's database.
Hunt is calling for help in creating a way to ingest the data sent by the FBI. He announced Friday that Pwned Passwords will become an open-source project with help from the .NET Foundation. Making Pwned Passwords open source has several advantages, Hunt writes in a blog post. It increases transparency around the project and allows organizations to take the code and run it as their own freestanding service.
Red Sky Alliance has been analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
To protect your own supply chain, consider subscribing to RedXray, Red Sky Alliance’s cyber threat notification service. Details can be found at: https://www.wapacklabs.com/redxray. And oh, by the way – change your password.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941