Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only T&Cs apply

Find out more

Case Studies Part 2

In this video, Zanidd will cover more real-life examples of password attacks, for example, on LinkedIn, 8fit, and Adobe.
In 2012, nearly 6.5 million user credentials were stolen by Russian cybercriminals from LinkedIn. Later, in 2016, LinkedIn discovered 100 million email addresses and hashed passwords were leaked. The whole list of partially correct credentials went up for sale for the price of 5 Bitcoin, which at the time was around 2,000 to 3,000 US dollars. What makes this attack so interesting for us is that LinkedIn failed to use salts for their passwords, and thus were easier to crack. Some sources even claim that LinkedIn used a SHA-1 hashing algorithm, which only made it easier to crack.
Most of the credentials were probably cracked with a rule-based dictionary attack, as we ourselves did in the section about dictionary attacks, while the rest will have been cracked with brute force attacks. There is, however, still a chance that some passwords were not cracked if the passwords were random and strong enough. As soon as LinkedIn discovered that so many passwords were leaked, they forced users to change their passwords, if they didn’t change them since 2012 already. Following the breach, some users filed lawsuits against LinkedIn, some of which could have cost up to $5 million for LinkedIn.
And this is special here because this is one of the first in our cases which actually had to pay money instead of just resetting the passwords for everybody. In July 2018, a breach occurred at 8fit. 8fit is a health and fitness app, and 15 to 20 million user credentials were leaked. And what’s even worse, it went unnoticed until February of 2019. 8fit then went on to encourage their users to change their passwords as well as passwords for other services. They started investigating the breach as soon as possible, and according to their own site, they started finding and fixing the vulnerability that caused the breach. In 2013, Adobe has also suffered from a data breach.
Different sources cite different numbers of stolen credentials, ranging from 35 million to 150 million. And not only that, the attackers were also able to grab parts of the source code for Cold Fusion, Photoshop, and the Acrobat Reader. Adobe, as all other companies in these examples, reset the passwords of all their users and claimed that they did not see any indication of unauthorized activity on the breached accounts. All in all, the breach took six weeks to be noticed since the attacker uploaded the source code on a website that then later was found by security bloggers and researchers. And Adobe is one of the faster companies that we saw in our examples, with only six weeks.
And six weeks is a long time for attackers to crack passwords or dump them somewhere in the darknet and sell them, even if they’re hashed. So, not only did the attackers in this example crack credentials, they also stole parts of the source code. This would allow them to either investigate to code to find flaws and vulnerabilities that they could then later exploit, or they could sell it online, which seems to be what they did. Luckily, they did it in such a prominent way that some researchers found it and the breach was found in only six weeks. So what can we learn from these examples and case studies?
Everyone can be a target, big companies, small companies, social media sites, free tools like Canva, and even fitness and health apps. Attackers are usually focused on getting as many credentials as possible and then sell them in bulk on the darknet or internet. Other attackers can buy them and use them for password spraying and credential stuffing attacks, so make sure to never reuse your passwords on other platforms. Attackers gain passwords as a means to sell them or abuse them in other ways. They usually find the vulnerability of phished credentials of administrators and then dump the passwords.
Often, the attacks go unnoticed for weeks, months, or even years, which gives the attacker plenty of time to crack a chunk of those credentials and abuse them. In order to protect us and our users from this menace, we should implement the things discussed in former sections, like salt, pepper, Multifactor Authentication, strong password policies, and good hashing functions. It is important to use random strong and unique passwords every time we need a new one, and password managers can help us with that. Or we can use the method learned in the last section. Another thing we can learn is that some companies may get fined for having a data breach, depending on if they used current technology or not.
So if you’re using an old hashing algorithm, you can be fined for that if an attacker leaks your dump - if an attacker dumps your passwords and they are cracked, because it was your mistake that you didn’t use a good enough hashing function. So, also make sure that we use good hashing functions whenever you can. And with that, thank you very much for taking part in this course on Code Red. I sincerely hope you enjoyed it and learned some things along the way you can either use to make your applications secure or handle your passwords better. I hope to see you in a future course or on my channel, /dev/null, over on YouTube.

This video covers more real-life examples of password attacks.

Attacks on the following accounts are discussed:

  • LinkedIn
  • 8fit
  • Adobe

This highlights that everyone can be a target including big companies, small companies, social media sites, free tools, and even fitness and health apps. Watch the video to learn about the techniques and motives of attackers.

Preparing for Test of the Week

Now that you completed the content steps for this week, you are ready for the test of the week!

The following test is going to assess your understanding of what you have learned within this past week of the course.

Remember, you do not have to take the test until you’re ready. To help you prepare, you might wish to spend some time refreshing your understanding of the contents of the past week.

You may wish to reflect on the Learning Outcomes introduced at the beginning of the week and make sure you are comfortable that you have met the requirements of each. Take some time to review your learning to help you prepare.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now