“Collections #1-5” a super-list of exposed data circulated by hackers in January 2019. Te best known and biggest, dubbed “Collection #1”, contains over 1.5 billion email- password pairs – obtained from combining over 10,000 different breaches and credentials lists. In October 2019, security

researchers also found 1.4 billion personal records on an unsecured “elastic server”. Te records, later attributed to the data enrich- ment platform People Data Labs, contained information on people including email addresses, phone numbers, and social media profiles. Another large breach identified

in the report was that of a LinkedIn hack in 2012 where over 160 million user credentials were leaked online. Te hackers started to sell the cre- dentials online in May 2016. Some of the credentials were emails along with encrypted passwords, while some credentials were emails only.

Leaked credentials from third party breaches do not give hackers direct access to an organisation whose domain information is listed in the exposure. For example, a govern- ment employee whose details were exposed via the LinkedIn hack may have used a different password to access their work email.

However, Kela stressed that

the risk lies in users or employ- ees re-using the same or similar passwords for multiple services they log-in to, giving hackers the opportunity to brute force their way directly into a domain to which the email address belongs. Tey can also use the credentials

to mount further spear-phishing campaigns designed to trick users into exposing their credentials – or sensitive information – or to download a malicious attachment with a “payload” that can be used for further attacks. Te 515 compromised accounts found in the Futurescot investi-

gation represent a much higher threat level to organisations, as the credentials are stolen from a specific machine that is infected by malware. Te credentials do not provide access to the machine, though, they provide access to spe- cific resources that can be accessed. For example, if a computer is in- fected, it can steal saved credentials for common web services such as Amazon, LinkedIn, or Twitter and – depending on the functionality of the malware – grab credentials by keylogging even if they were not saved. Tat information can be used

FUTURESCOT | SUMMER 2021 | 27 Continued on Page 28

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36