In recent years, credential stuffing attacks have been on the rise. Cyber criminals take over accounts with username and password combinations that were stolen at third parties.

The goal of Account TakeOver (‘ATO’) prevention services is to prevent unauthorized access to your accounts. There are several types of techniques that can be used to implement ATO prevention services. The characteristics of the techniques varies widely. Furthermore the data quality of an ATO prevention service has a great effect on the effectiveness and efficiency of the service. …


Every year thousands of data breaches occur, as we can read in the daily news. The root causes of the breaches range from organizational issues to technical flaws. A new category of attacks emerged a few years ago: ‘credential stuffing’. According to F5, ‘credential stuffing and brute force attacks have been the biggest threats for financial services recently, and the trend shows no sign of slowing’. According to Akamai, ‘hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites within the 17-month period analyzed’. Nowadays credential stuffing attacks are considered among the top digital threats. …

Image for post
Image for post

Cracking classic hashes

Moore’s law is the observation that the number of transistors in a dense integrated circuit doubles about every two years. This roughly doubles computing power about every two years as well. Password hashing algorithms typically have a lifetime of many decades. This means that the level of protection of a given password hash algorithm decreases over time: attackers can crack longer and more complex passwords in the same amount of time.

The introduction of powerful Graphics Processing Units (GPUs) and supporting software frameworks revolutionized password cracking. Starting over a decade ago, high performance GPU password cracking tools were published, massively outperforming Central Processing Units (CPUs) that were typically used for password cracking at the time. The speed-up was a factor of 50 to 100 for many algorithms: another big step back for the protection level of your passwords. …

Image for post
Image for post

Dutch website — used by prostitutes, escorts and their customers — had been hacked. The site’s user database was stolen and is actively being traded in the underground, and sold for about 2 Euros. The dump contains data of — among others — employees of Dutch governmental intuitions like the department of defense, foreign affairs and law enforcement. Since data is now within virtually anyone’s reach, we expect scams to blackmail users soon. publicly stated that passwords were not stolen. Strictly speaking this is true: the database does not contain plain text passwords but hashed passwords. Scattered Secrets was able to crack 57% of the password hashes in three days. …

Image for post
Image for post

All kinds of online services get hacked. This includes services that you might be using. Scattered Secrets is a password breach notification and prevention service. We continuously collect publicly available hacked databases and try to crack the corresponding passwords. Verified account owners can access their own information and take appropriate action to keep their accounts safe and prevent against account takeovers. At the time of writing, our database includes nearly four billion — yes, that is with a B — plaintext passwords. Users occasionally ask us how we can crack passwords on such a large scale. …


Find Your Hacked Passwords - Prevent Account Takeover.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store