Retour sur les prévisions de 2019 en matière de sécurité des applications : le piratage de compte

Version imprimable, PDF et e-mail

At the start of the year, I made three predictions on attacks vectors that would become big problems over the year and beyond. This is the look at where the three are, now, at the end of the year. Starting with #1 – Account Takeovers.


Organizations will see a significant uptick in these attacks. Defenses, including two-factor authentication, attack detections and more need to be planned, and put in place with proper alerting systems to detect and block these attacks.

Zynga, EatStreet, Coinmama, Canva, Flipboard, DockerHub, Intuit.

These are some of the many companies that either lost user credentials in a data breach or were victims of a credential stuffing attack.

This year has been quite a massive year when it comes to credential attacks – be it stealing them or using them for account takeover. Early in the year, the massive Collection #1- #5 dump with over 2.2 billion unique credentials. We acquired the database and ran it against our existing credential dump, and a significant bit of the dump was previously leaked credentials. The dump itself easily dwarfed 2018’s Pemiblanc, and as the name suggests, it is mostly a collection of old data put together.

Source + larger image
Collection was followed by the GnosticPlayers dumps. GnosticPlayers as the hacker called themselves, started releasing previously unseen data dumps, including Canva and EatStreet. For the most part, these dumps seem to be valid and unique user credentials, and the dumps have been quite massive – Dubsmash, MyFitnessPal, Houzz, ClassPass and more. The images below give you an idea of the number of dumps they have posted.



Typically though, we don’t really hear much about the effects of these data branches. Those following the data breach news closely hear about the breaches, and some of the effects. That said, one event brought out the risks of these data breaches and credential reuse out quite massively –

Let’s get one thing clear right at the start: there is no evidence of a Disney+ data breach. Not even the person/s, who, within days of the launch, managed to dump thousands of valid credentials claim that there was a data breach.

What seems to have happened is, however, credential reuse. The malicious actors seem to have taken previously dumped data and validated it against Disney+ to see which ones were in use. When they got valid data, they proceeded to lock the users out of their accounts and sell their credentials. Users could no longer login to their accounts and are presumably working with Disney to reset their account credentials. This attack is a little concerning – over the last few years, there have been a variety of effective products to guard against such attacks. These include products that can detect such low and slow attacks and alert the application owners or block the attacks. In this case, we don’t know yet if this was identified but not blocked, or if it was not identified at all while in progress. We await more information.

Since last year, credential attacks have become more and more prevalent. Folks like Troy Hunt, who runs haveibeenpwned, have been trying to get everyone to start safeguarding their credentials. However, given the long history of painful password policies (something even NIST has acknowledged and is moving on from), it looks like it will take some time.

When it comes to organizations, there are a few things they can do to recede the impact of such attacks.

  • Impose sane password guidelines to reduce password reuse. For employers, it may make a lot of sense to provide password managers. Apple is rumored to have done so, and actually provided employees with family plans for the password management tool.
  • Implement multi-factor authentication
  • Secure all applications against credential (and other) attacks –
    • Ensure you have sufficient protections against all app attacks, including the OWASP Top 10
    • Have systems in place to detect and block low and slow bots (Slow bots are attackers/bots who come in from different regions over a longer period to avoid detection)
    • Ideally, implement a solution that can check all incoming credentials against known leaked credentials. This is not a 100% solution, but along with #2, it can help you identify and block these attacks quite early on

At Barracuda, we’ve launched the Advanced Bot Protection (ABP) product earlier this year. ABP is part of our Cloud Application Protection (CAP) platform and works together with our WAF product line to detect and block all types of advanced bot attacks. A big part of this product is Credential Stuffing security. With a large database of known leaked credentials, we can detect incoming account takeover/brute force attacks with ease. As part of the ABP product, this feature can take advantage of our Cloud Machine Learning Layer to identify the most advanced attackers. For a no-risk 30-day trial, visit our corporate site at

Remonter en haut de page