Earllier this week, our threat intelligence analysts “stumbled upon” yet another list of passwords and emails of 17,000 Twitter users. Well, they didn’t really stumble upon the list, the list was picked up on a paste site by Argos, our Threat Intelligence Platform.
Following further investigation, we found out that this is the work of a threat actor going by the name of Polidox. Polidox has been identified as a Danish cracker who targets various brands and companies, such as Twitter, Facebook, Minecraft, Twitter, Tumblr, WWE, etc. Furthermore, we discovered that in order to crack the accounts, the cracker used a tool named ‘Sentry MBA’, which is a popular tool for credential stuffing attacks.
Credential stuffing is an attack that tests stolen credentials against the authentication mechanisms on websites and mobile application API servers, to discover instances of password reuse across those applications, and enable large-scale account takeovers.
The reason we believe Polidox used the Sentry MBA stuffing tool is because he follows a similar pattern followed by known crackers which use credential-stuffing attacks (targeting multiple known brands which are known targets for these kind of attacks), and also because many of the credentials found in the leak were found in previous leaks of different companies, thus making them vulnerable for this kind of attack.
So What’s the Big Deal you Ask?
Well, imagine the following scenario:
A cybercriminal or a script kiddy, gets a hold of the list and puts a simple script together that uses the credentials on the list to access the 17,000 Twitter accounts and tweets something that looks very legit:
Let’s Look at the Numbers
If we assume that, on average, each Twitter account has 10K followers and that we have a 10% conversion rate of people reading the Tweet and then clicking the URL, we get the following:
170,000 people infected by ransomware!
Looking the rates of ransomware payouts, which stand at 1-2 bitcoins ($569.65 - $1139.3), you get a mind blowing figure that a cybercriminal could make off this one list –
So, no, not a billion dollars but enough to not work another day in your life. And, it's even more than the Bangladesh heist!
As you realize, this leak is not limited to the actual users on it but also enables cyber criminals to take over their accounts and target their followers. This could mean that far more Twitter users will become victims of fraud and cybercriminal activities during the weeks and months ahead as a result of the leak.
Lastly, the fact that the credential stuffing tool was successful at validating 17K Twitter users, emphasizes the fact that people still(!) reuse passwords across multiple websites. A frightening and concerning fact, as this type of attack has exponential repercussions.