Page 63 - Cyber Defense eMagazine February 2024
P. 63
Traditionally, DBSEs would only inform visitors if their email address or username was listed in any data
breaches, prompting them to change their passwords for a specific account. However, a new category of
DBSEs has emerged, offering users access to raw data from breaches, including login credentials for
other individuals. These new DBSEs are gaining popularity.
This trend unfolds as the dark web underground market for stolen credentials is experiencing rapid
growth. Demand is primarily driven by cybercriminals intending to use stolen credentials for malicious
actions, as reported in Recorded Future's 2022 Annual Report. Recent trends reveal an increasing usage
of stolen credentials for cybercrime, with Account Takeover fraud rising by 354% year-over-year in Q2
2023, based on Sift’s Q3 2023 Digital Trust & Safety Index. Additionally, 49% of data breaches last year
involved using stolen credentials, according to the 2023 Data Breach Investigations Report (DBIR) by
Verizon.
Against this backdrop, DBSEs are making exposed credentials more accessible to the public. This marks
a significant departure from the days when breached data was confined to the darker corners of the
Internet. The F5 Labs 2021 Credential Stuffing Report notes that for malicious actors seeking victims'
login credentials, the entry barrier is diminishing. Access to exposed credentials used to demand a level
of skill, funds, and/or personal connections, requiring expertise to hack a database, connections to elite
sellers, or access to exclusive dark web markets. However, with increasingly mainstream services willing
to sell verified credentials, anyone can obtain access.
Nevertheless, even if DBSEs assist in exposing credentials, it's crucial to recognize that not all stolen
credentials are the same. Hackers typically attempt to keep stolen credentials secret for as long as
possible. Breached credentials lose value when they become public knowledge because victims promptly
change their passwords, as stated in the Cofense 2023 Annual State of Email Security Report. F5 Labs
corroborated this notion in its Credential Stuffing Report, tracking the path of stolen credentials from theft
to public disclosure. As soon as the breach became public knowledge, the price of the credentials started
declining.
At this stage, after public disclosure and data posting, DBSEs first obtain the credentials. Therefore,
DBSEs provide access to credentials when they are least valuable to criminals.
However, the credentials accessible in DBSEs still hold value to criminals, particularly if victims reuse
their passwords for multiple accounts. Password reuse has always been a problem, and SpyCloud’s 2023
Identity Exposure Report found a 72% password reuse rate for users exposed in two or more breaches
in the past year—an 8-point increase from 64% the previous year. As long as password reuse persists,
old credentials will remain valuable to criminals.
It's worth noting that there are potential benefits for victims using new DBSEs in certain circumstances.
Traditional DBSEs were most helpful when a data breach originated from only one website, such as the
Linked example mentioned earlier. However, some data breaches consist of login credentials from
unknown sources. In those cases, a newer DBSE can identify which passwords were compromised.
The Future:
Based on current trends, DBSEs could play a more substantial role in supplying cybercriminals in the
near future. The number of cybercriminals seeking credentials is growing, potentially including more
Cyber Defense eMagazine – February 2024 Edition 63
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
