Threats made by an apparent collective of hackers calling itself the Turkish Crime Family last month demanded $75,000 from Apple by April 7. If Apple refused to pay, it threatened, it would use its vast database of stolen usernames and passwords to factory-reset the iPhones of hundreds of millions of Apple customers.
Although some experts are skeptical of the veracity of the claim and threat, hackers in possession of stolen log-ins could, in fact, use a form of automated password reuse called credential stuffing to take over accounts.
The details of the alleged database of stolen log-ins are inconsistent. At first, the pseudonymous Turkish Crime Family tweeted on March 21 that it would wipe 200 million accounts. A story published that same day claimed that the number was 300 million Apple @icloud and @me credentials, but could be as high as 559 million accounts.
Neither Apple nor the Turkish Crime Family responded to requests for comment, though Apple has stated previously that its databases have not been breached.
“When a cybercriminal has a million usernames and passwords, only typically 0.1 to 0.2 percent will be valid,” says Shuman Ghosemajumder, CTO of Shape Security, which published an in-depth report report on credential stuffing attacks in January.
It’s rare for a major company to pay a ransom like the one demanded of Apple, security researcher and data breach expert Troy Hunt says. Hunt estimates that the total number of Apple accounts affected in the breach actually hovers around 53,000—and that most of them are no longer vulnerable.
“What they’ve done is taken all the Apple usernames and passwords out of [the breach of the gaming company] Evony and combined them with log-ins from a few other breaches,” Hunt says, based on research he published earlier today. And he says that actually wiping accounts could spur law enforcement to act. “If they do start wiping any accounts, there’s a very high likelihood that they’ll end up someplace unpleasant.”
Presuming that there’s one hacker in the “family,” and it takes 5 seconds to manually type and test a username and password, it would take 55 hours to test 53,000 unique log-ins. If you scale that to 200 million, you’re talking decades of work, not hours.
“If the attacker has a list of credentials, they can take over tens of thousands of accounts. This happens all the time, every day, on all the brands you’re familiar with.” — Shuman Ghosemajumder, CTO, Shape Security
That’s where credential stuffing comes in. An attack throws an enormous number of stolen credentials at a log-in page for a major Internet service, such as Google, Facebook, Microsoft, Yahoo, or Apple, and is most often automated with commercial malware like SentryMBA or custom-made software.
Once a targeted account has been accessed, attackers can do what they want with the account, from using it to gain access to other accounts—including financial ones—to using it as a spam-sending robot, to destructively wiping its data, as the Turkish Crime Family has threatened to do.
Fueled by the poor database security by businesses and sloppy password security by consumers, credential stuffing attacks are a perfect storm of computer security failures. They’re hard to defend against, as they occur unless the target has planned defensive responses, and they leave consumers’ most sensitive personal files and finances exposed for exploitation.
Credential-stuffing attacks are not rare. They account for more than 90 percent of the Internet traffic to log-in pages at major services, Shape Security’s Ghosemajumder says.
“We see those attacks across every major online service,” he says. “If the attacker has a list of credentials, they can take over tens of thousands of accounts. This happens all the time, every day, on all the brands you’re familiar with.”
Avivah Litan, vice president and distinguished analyst at Gartner Research, says the attacks target far more than online services. “Loyalty wallets get hit by credential stuffing,” she says. “Anything of high value.”
There are options for stopping credential stuffing attacks, but they will require behavioral changes from both businesses and their customers. One option NIST recommended in December for Internet services and financial institutions is to buy stolen databases, search them for their customers’ log-in credentials, then notify affected customers. Facebook already has adopted this technique.
Another option, Litan says, is to develop a layered approach to prevention. Companies need to look at how, when, and by whom their sites are being accessed by users, as well as user account info, and perform big-data analysis on “billions of transactions.”
Consumers will have to make some changes too. They can add two-factor authentication to all their major online and financial accounts. That way, if their passwords are cracked, there’s still a second-layer, one-time-use-only password that prevents the hacker from getting into the account.
Password reuse attacks, of which credential stuffing are a large-scale version, are nothing new, says Jeremiah Grossman, chief of security strategy at SentinelOne. He says he saw password reuse attacks across Internet services as far back as 2000, when he worked as a security engineer at Yahoo.
“When somebody got phished at Hotmail, they’d reuse [the log-in] against Yahoo,” he says. “The problem with reusing a password now is that you can’t just change your password on Yahoo, but you have to change your password on every other service you’ve used that password.”