myNetWatchman analyzed the 48 million credentials and 533,000 successful account takeovers from a large-scale credential stuffing attack against our repository of over 30 billion compromised credential pairs. This analysis was performed after-the-fact, but had myNetWatchman’s AllCreds service been applied proactively, 91 percent of the account takeovers could have been stopped, as they used credential pairs we had previously identified as compromised. In this comprehensive case study, myNetWatchman analyzed data from a client credential stuffing attack that spanned four months using nearly 48 million compromised credential pairs. This large-scale attack took place in early 2024 against an omni-channel retailer with a large, global online sales presence, referred to as “Company M.” Company M faced a threat many online organizations see frequently: credential stuffing attacks. Many consumers have poor password hygiene, reusing passwords or credential pairs and making it easier for criminal actors to find success with account takeover attacks through credential stuffing. Credential stuffing involves systematically testing lists of compromised credential pairs, which are abundant as data breaches occur frequently and are often large. The credential stuffing attack against Company M exemplified the severity of poor consumer password hygiene. Out of tens of millions of unique credential pairs tested, over half a million customer accounts were able to be successfully accessed — a 1.13 percent success rate. The overall success rate, including repeated attempts, was 1.7 percent. myNetWatchman’s analysis of the compromised credentials used against Company M found that more than nine-tenths of the successful logins involved credential pairs that were previously tested on other sites. Leveraging myNetWatchman’s live data surveillance and proprietary data repository of over 30 billion exposed credentials, our analysis showed that the compromised credentials presented at Company M’s site had been used or tested across thousands of other websites first. Using AllCreds as a preventive tool at login and password change to force customer step-up authentication and to change their passwords when they become compromised would have prevented 91% of the bad actors successful logins. With AllCreds , organizations can fight poor password hygiene and credential stuffing attacks by knowing not only if the presented credentials are compromised, but if they are actively being tested. This allows for strategic use of step-up authentication, such as two-factor authentication (2FA) or requiring a password change, while maintaining a seamless user experience for legitimate users.

myNetWatchman clients (and most others) don’t need to be concerned about RockYou2024 - don’t be put off by the size. The RockYou2024 data set, with its staggering 10 billion records freely available online, has caused quite a stir in the cybersecurity world. We took a look beyond the headlines to understand what this data dump truly represents and its actual impact. While the primary focus on 10 billion records overstates the breadth of what is actually useful, the 65 percent (at least) of the data set that is likely to be real, unencrypted passwords might be useful to a small group of fraudsters. Even then, the reality is that the compromised passwords contained in it were being used well before it was released. What is it RockYou2024 is a data dump, freely available online. It is a mix of plain-text passwords, hashed passwords, plausible (but not necessarily in-use) passwords from wordlists and likely some junk data. The name "RockYou" dates back to 2009 when a file named “rockyou.txt” containing 14 million unique passwords was posted online. The list grew over the years, reaching 8.4 billion records by 2021. The latest iteration, RockYou2024, added 1.5 billion new records, approaching the headline-grabbing number of 10 billion. What’s inside RockYou2024 has only passwords, or more accurately, records that might be passwords. These are not credential pairs - credential pairs (username and password together) are more valuable than passwords alone. In contrast, we have over 30 billion pairs in our repository. Encrypted data - About 950 million records, about 10% of the data set, is encrypted words; little value to attackers, because cracking the hashed word (moreso a hashed and salted word) is technically challenging and time-consuming. Junk - random strings, company names, and other garbage that aren’t really passwords people use. For example, we found more than 50 thousand records starting with “0x00” and agree with Red Hot Cyber that junk data was included because the hacker probably “wanted to reach 10 billion records at all costs just for fame or attention.” What’s left is about 6.14 billion records that could be plain-text passwords. Real-world use We monitor live criminal traffic, as it happens. In the week after RockYou2024 was released, we saw 370 million credential pairs used in illegitimate logins, credential stuffing attacks, and ATO attempts. 56% of those used passwords in the RockYou2024 data set. However, in the week before RockYou2024 came out, we also saw the same amount - 56% - of logins using passwords in RockYou2024. In other words, we didn’t see any indication that RockYou2024 exposed a significant amount of passwords that hadn’t been used before. Threat Level For our clients, we don’t see this breach increasing the level of existing threat to account takeover from compromised credentials. The attributes – potential, unverified passwords are low value compared to breaches that contain username and password combinations, for example the 30+ billion credential pairs we have that criminals have actually used. We do expect some criminals will use them in brute-force stuffing attacks, but that kind of activity has a significantly lower success rate than credential stuffing attacks which rely on compromised credential pairs. And the timing risk is low - 84% of the set was available three years ago or more. Wide availability of breached passwords and poor password hygiene makes ATO and credential stuffing attacks a persistent and credible threat, but RockYou2024 didn’t greatly elevate that threat, it was already quite high. Recommendations As always, we recommend our clients help users practice good password hygiene. Have password policies in place to require strong passwords, use 2FA where it makes sense for the user experience, and protect users from using known compromised accounts with our services . We DO NOT recommend you let the hype around RockYou2024 alarm you into drastic action. Forcing all users implicated in RockYou2024 to change passwords would cause unnecessary friction without significantly reducing risk.

In a study of the Naz.API breach data myNetWatchman  found that Companies using their compromised credential screening service were able to detect 94% of these compromised credentials earlier, in some cases years earlier, using myNetWatchman versus making use of the breach data when it became public. When news broke about the 71 million user accounts that were compromised in the Naz.API data breach in September 2023 it provided a great comparative example between using  vendors that make use of static data breach data once its public versus vendors that rely on  real time credential monitoring, like myNetWatchman, for detection of compromised or at risk credentials (username and password).  In the case of Naz.API  the data set consisted of aggregated breach data from multiple breaches, so some would have been public in the past and some were likely not known. From the data we can see a large cluster from years in the past likely indicating they were pulled from a much older breach. if a company was relying on a vendor that uses static data breach data,  the complete list of compromised credentials would not have been known before September 2023 as that was when it was discovered, and likely would not be available for several months after as attribution and legal processing for getting access to this data takes time. In contrast if a company was using myNetWatchman, a real time credential monitoring vendor, they would have had a higher likelihood of detecting it earlier as 94% of these compromised credentials  were known to be compromised before the breach became public. Beyond the indication that the credentials were compromised, using myNetWatchman’s real time credential monitoring service would have also alerted on 5% of these creds that there was a successful access into an account by a bad actor.

Our team at myNetWatchman is thrilled to be referenced in the latest article by KrebsOnSecurity: Who's Behind the SWAT USA Reshipping Service? , exposing the identities of the SWAT USA Reshipping Service. The premise of the article provides further confirmation that criminals follow the same behavior as everyone else reusing passwords from their personal lives. Following these tips of best practices can help you keep you and your organization secure: Keep work and personal email separate Do not include personal data (such as date of birth) in passwords Do not reuse passwords across platforms. We're proud to stand at the forefront of this fight, providing tools and strategies that keep our clients one step ahead of cyber threats. A huge thanks to KrebsOnSecurity for the recognition and for keeping the digital community informed and engaged.