Case Studies Part 1

Hello world, I’m Zanidd. And welcome to the Hands On Password Cracking and Security course on CodeRed. In this section, we will look at some real-life cases where passwords were stolen or cracked and abused by an attacker. We will also take a look at how it could have been prevented and what the consequences for the company were. And as the title implies, this lesson will focus on data breaches and attacks that led to password dumps. Now, the first attack that we are taking a look at has actually nothing to do with password dumps. But it’s the most current one, so let’s take a quick glimpse over it.

In July of 2020, attackers have gained access to Twitter employee accounts by means of social engineering. This means that rather than taking a hash and crack it or trying to break a password, they convinced the users to give them the passwords by posing as a third party like a bank or a company - for example, Microsoft. They then used those accounts to enter an administration console and altered the verification emails for multiple users, including Barack Obama and Elon Musk. With the email altered, they could simply use something like a “forgot password” mechanism to reset the passwords and enter in their accounts. Then they tweeted the Bitcoin scam using these high-profile accounts. Our first attack has to do with Zoom.

And I’m certain that most of you, at least in 2020, have had to use Zoom at least once with our current situation. And hackers know this as well. So they attacked Zoom and leaked about half a million credentials up for sale. How did they do it? With credential stuffing. They collected multiple dumps of leaked credentials in the darknet or internet, cracked them, and used them with automated tools on Zoom’s login page. They could then evaluate the response and determine the valid credentials, which they put up for sale. In order to not get their IP blacklisted or blocked, the attackers used something called the botnet, so they always used a new IP.

As we saw in the last couple of sections, this is only possible because so many people use the same credentials for multiple websites. The only thing to do at this point for Zoom was to let them change the passwords, which they did. They requested that every user should reset their password or change it. In January of 2020, Canva became aware that 4 million correct credentials were leaked. However, the attack took place long before that in May 2019. The attackers were able to get 137 million user accounts with their hashed passwords and salts. The attacker could use the salts plus a combination of brute force and dictionary attacks to break the passwords.

And as you can see, after seven months, they were able to crack about 4% of them. It is unclear at this point if Canva used a pepper to slow the attackers down, but what we know is that they used bcrypt to hash the passwords. This shows that salting does not necessarily make your password safer if the attacker can get hold of the hash and the salt. So make sure to use the pepper as well. Apparently, the attackers were even able to gain OAuth login tokens from users, using social sign-in via Google, but that’s just a rumour at this point and it hasn’t been confirmed.

The only thing that Canva could do at this point was to, a.) reset all the passwords, or, b.) notify the users with cracked credentials, so they could change them on other sites if they were using the same ones. Which, as we saw before, could lead to credential stuffing attacks on other services. And so that’s what Canva did, and we hope that it worked out. In 2014, the entire user base of eBay was leaked, including hashed passwords that used weak hashes. Some sources suggest that the attackers used employee credentials to access them and that they went unnoticed for 229 days.

How the attackers were able to get hold of the employee passwords is uncertain, but I think it could have been either through means of social engineering or some attack like credential stuffing or password spraying. All they could do and did was to reset all the passwords for the users.