Introducing Blackfish, a system to help eliminate the use of stolen passwords

Today we’re releasing Blackfish, a system that proactively protects companies from credential stuffing before an attack takes place. Normally, credential stuffing starts with a data breach at one major company (“Initial Victim”), and continues when a criminal then uses the stolen data (usernames and passwords) against dozens or even hundreds of different companies (“Downstream Victims”). Usually, many months or years pass before the Initial Victim realizes and discloses the initial data breach, and in that time, criminals are able to successfully attack huge numbers of Downstream Victims. Later, once the Initial Victim does disclose the breach, the Downstream Victims start matching the username/password pairs from the Initial Victim against their own user databases, and resetting any passwords that match. The whole process can take years and results in hundreds of millions of dollars worth of fraud and brand damage.

Blackfish changes all that. From the very first moment a criminal attempts to use stolen usernames and passwords, Blackfish begins monitoring and protecting matching accounts at other companies. So, while under normal circumstances a criminal can get hundreds of chances to monetize the stolen usernames and passwords, with Blackfish in place, criminals get far fewer chances.

You may be wondering how Blackfish can accomplish all this. Explaining that requires a little background on Shape Security.

We founded Shape six years ago to answer a simple question: is a visitor to a web or mobile app an actual human being? This simple question proved to be an important one. As we perfected our ability to answer it, we started eliminating enormous amounts of fraudulent traffic from the largest web and mobile apps in the world — often 90% or more of the login traffic from a Fortune 100 web application.

Today, we are the primary line of defense for many of the largest organizations around the world. Our customers include: three of the top four banks, three of the top five airlines, two of the top three hotel chains, and numerous other leading companies and government agencies.

We secure all of those large organizations in a centralized way, directly delivering the security outcome of eliminating fraudulent traffic. That centralized security capability is also the heart of Blackfish, and allows Blackfish to see stolen usernames and passwords in use far before anyone else ever knows about them (including the Initial Victim).

Think about it: if you were a criminal and managed to steal all the usernames and passwords from a major corporation, where would you try them out? If you’re like most criminals, the answer is that you’d try them on the largest banks, airlines, hotels, and retail sites in the world. That’s what happens in practice, and when it does, that’s also when Blackfish sees the very first such attack, and sets about protecting all username/password pairs that happen to match on other large websites.

Blackfish does all this before the original data breach is reported or even detected by the Initial Victim company.

The problem with looking for credentials on the dark web

You can scour the dark web to find user credentials, but one of the greatest dangers companies face today is the long window of time between when breaches occur on third-party websites like Yahoo, and when those breaches are discovered and announced. Instead of hoping that stolen passwords will appear in the dark web in time to be useful, Blackfish autonomously detects credential stuffing attacks on the largest, most targeted websites in the world, identifies newly stolen credentials, and nullifies them globally. That stolen data becomes useless to cybercriminals.

How does it work?

Shape has grown into one of the largest processors of login traffic on the entire web. We have built machine learning and deep learning systems to autonomously identify credential stuffing attacks in real-time. These systems now generate an important byproduct: direct knowledge of stolen usernames and passwords when criminals are first starting to exploit them against major web and mobile apps. What this means is that we see the stolen assets months or years before they appear on the dark web.

Blackfish’s knowledge base of compromised credentials is built with maximum security in mind. To ensure that its knowledge base is secured, Blackfish does not store any credential information but instead leverages Bloom filters to create probabilistic data structures to perform its operations. As a result, the compromised credentials themselves are not stored anywhere and Blackfish can use the information about compromises to improve security while maintaining full data privacy.

What good is a stolen password if you can never use it?

For better or for worse, memorized secrets (a.k.a. “passwords”) are the most widely used authentication mechanism online. As such, having access to millions of stolen passwords (over 3.3 billion were reported stolen in 2016 alone) allows cybercriminals to easily take over users’ accounts on any major website. They do this with credential stuffing attacks, which take stolen passwords from website A and try them on website B to see which accounts the same email addresses and passwords will unlock. Cybercriminals can do this reliably with a typical 1-2% success rate, allowing them to seize the value in bank accounts, gift card accounts, airline loyalty programs, and other accounts, which they can then monetize for a predictable ROI.

Since credential stuffing attacks are responsible for more than 99.9% of account takeover attempts, if we identify the stolen credentials that are used in these attacks, and invalidate them across other websites, we change the economics for cybercriminals significantly. If their 1-2% success rate now drops by two orders of magnitude or more, their “business” no longer functions. At that point, the cybercriminal has no choice but to try to obtain new stolen passwords. If those new passwords are similarly detected and invalidated, it will become clear to the criminals that the economics of their scheme have been broken. We think that over time, Blackfish will end credential stuffing for everyone.

We are all very excited at Shape to announce this system and our vision to make credential stuffing attacks a thing of the past. You can learn more on our website and contact us when your company is ready to try Blackfish.

2017 Credential Spill Report

social_media_10largest_spillsOver the past 12 months, we have seen dozens of the world’s largest online services report that they had been breached by attackers who were able to gain access to their customers’ login credential data. By the end of 2016, over three billion credentials in total were reported stolen, at an average pace of one new credential spill reported every week.

These numbers are a record and include the two largest reported credential spills of all time, both by Yahoo. Near the end of the year, the National Institute of Standards and Technology published the Draft NIST Special Publication 800-63B Digital Identity Guidelines, recommending that online account systems check their users’ passwords against known spilled credential lists.

As the size and frequency of credential spills appears to be increasing, today we are publishing the 2017 Credential Spill Report. This report includes key findings from the credential spills reported in the past year and data from the Shape network to provide insight into the scale of credential theft and how stolen credentials are used.

In particular, stolen credentials are now used every day in credential stuffing attacks on all major online services. In these attacks, cybercriminals test for the reuse of passwords across websites and mobile applications. In the past, announcements of credential spills would focus on the security of accounts at the organization which reported the data breach, but now people are realizing that the widespread reuse of passwords by users across websites means that a breach on one account system endangers all other account systems.

At Shape, we have a unique view into this activity because our technology protects the world’s most attacked web and mobile applications—those run by the largest corporations in financial services, retail, travel, and other industries, as well as the largest government agencies—on a 24/7 basis.

Key statistics from spills reported in the past year include:

Over 3 billion credentials were reported stolen in 2016.

  • 51 companies reported suffering a breach where user credentials were stolen.
  • Yahoo in 2016 reported the two largest credential spills of all time. The next largest credential spills in 2016 were reported by Friend Finder, MySpace, Badoo and LinkedIn.
  • Tech companies had the largest total number of spilled credentials (1.75 billion).
  • The gaming industry had the largest number of companies with spills (11).

From Shape’s network data, we also observed:

  • 90% of login requests on many of the world’s largest web and mobile applications is attributable to traffic from credential stuffing attacks.
  • There is up to a 2% success rate for account takeover from credential stuffing attacks, meaning that cybercriminals are taking over millions of accounts across the Internet on a daily basis as a result of credential spills.
  • Credential stuffing attacks are now the single largest source of account takeover on most major websites and mobile applications.
  • One Fortune 100 retailer experienced a credential stuffing attack with over 10,000 login attempts in one day coming from the cybercriminal attack tool Sentry MBA, which is the most popular credential stuffing software and appears to be used to attack nearly every company in every industry.
  • Analyzing 15.5M account login attempts for one customer during a four month period, over 500K accounts were confirmed to be on publicly spilled credential lists.

Dealing with credential spills and the credential stuffing attacks that they fuel is a complex topic. Here are some basic recommended actions for consumers and enterprises:

The most important takeaway for consumers is that you should never reuse passwords across online accounts. Selecting a strong password is not enough; if you have reused that same password on multiple sites, and one of those sites is breached, your accounts on all of the other sites where you have used the same password are now at risk.

For companies, a lot of public attention is focused on any organization that experiences a data breach and loses control of their users’ credentials. However, the real issue other companies should focus on is protecting themselves against those passwords being used to attack them and their own users. Credential stuffing attacks easily bypass simple security controls like CAPTCHA and Web Application Firewalls, so relying on those mechanisms does not offer any protection. Controls like two-factor authentication can help, but of course come with other drawbacks.

In any case, getting educated is the best course of action. The Open Web Application Security Project (OWASP) provides a starting point for learning about credential stuffing and other automated attacks in their list of OWASP Automated Threats To Web Applications.

To learn more, download the full 2017 Credential Spill Report.

Dan Woods,

Director, Shape Intelligence Center