Skip links

There are 24.6 billion pairs of credentials for sale on dark web

In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

Data recorded from last year reflected a 64 percent increase over 2020’s total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

With all those credentials available for sale online, account takeover attacks have proliferated as well, the report said. Seventy-five percent of the passwords for sale online were not unique, noted Digital Shadows, which said everyone needs to be wary.

Proactive account protection, consistent application of good authentication habits, and awareness of one’s organizational digital footprint are necessary to protect against account takeover attacks, the study found. Individuals, the report said, should “use multi-factor authentication, password managers, and complex, unique passwords.”

Breach at Kaiser Permanente nets 70,000 patient’s data

Non-profit healthcare firm Kaiser Permanente has informed 69,589 patients of an April data breach that compromised their records. Names, medical record numbers, dates, and lab test result information was potentially stolen.

The theft is only classified as a “maybe” [PDF] because of how the breach happened: An employee’s email was hacked. “We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility,” Kaiser said in its notification. 

The access was reportedly detected and terminated within hours, and Kaiser said it has no evidence of any identity theft or misuse of protected health information. Sensitive information like Social Security Numbers or credit card information was not included.

Since Kaiser Permanente was breached in April, which it reported to the department of Health and Human Services in June, there have been 13 other reports of healthcare security break-ins. Only one managed to top Kaiser’s – a breach at Texas Tech University Health Sciences Center that affected 1,290,104 people.  

Citrix vulnerability lets remote user reset admin passwords

Virtualization company Citrix has reported a serious pair of bugs in its Application Delivery Management (ADM) software that could lead to “corruption of the system.”

More specifically, the pair of bugs can enable “​​the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials,” Citrix said

The second bug allows an attacker to disrupt the Application Delivery Management service, preventing new licenses from being issued or existing ones from being renewed.

It’s unclear if the exploitation of the first is connected to the second, or if the two are simply being patched at the same time. 

Citrix said that both bugs affect all supported versions of Citrix ADM server and Citrix ADM agent 13.1 and 13.0, the only supported versions. Builds ADM 13.1-21.53 and ADM 13.0-85.19 contain patches that resolve the issues. Citrix ADM service, the cloud-hosted version of ADM, has been automatically updated and no customer action is required.

In addition to updating to the latest version, Citrix also recommends customers segment network traffic to the Citrix ADM, either physically or logically, to reduce attack surface.

Bugcrowd bans user for following instructions

Bug bounty platform Bugcrowd founder and CTO Casey John Ellis has admitted his company’s mistake in banning security researcher Soatok from its platform for, by all accounts, doing exactly what they told him to do. 

Soatok, who by Bugcrowd’s own admission has earned more than $2,500 from reporting bugs on the platform, got some blowback from Bugcrowd support after finding a cryptographic bug in the JavaScript BigNumber (JSBN) library. 

A submission Soatok made was deemed invalid for not including an example of exploit code, which Soatok maintains was left out because cryptographic exploits are complicated to develop. 

Soatok ultimately contacted Xfinity, which handles JSBN bugs under the scope of its Bugcrowd open-source bounty program, and was told to contact JSBN’s maintainers through their GitHub repository, which he did. Because the bug had already been reported on Bugcrowd, Soatok’s account was suspended for violating Bugcrowd’s code of conduct.

The incident picked up traction on Twitter, triggering Ellis to step in. “Bugcrowd definitely didn’t do its best work here, and we’re aware,” Ellis tweeted. “I’ve been speaking with Soatok to understand better and apologize.” 

Soatok said that Ellis “wasn’t blowing smoke” with his tweet. “He apologized up front and asserted that this escalation should not have ended the way it did, while promising an investigation into what went wrong, how to resolve it, and how to avoid it in the future,” Soatok said. 

Soatok said Bugcrowd’s senior director of security ops, Michael Skelton, told him that Bugcrowd is prioritizing updates to its SecOps runbooks for cryptography, and are also working on filling a knowledge gap in the field. 

Still, Soatok said he’s unlikely to return to Bugcrowd. “Trust is easy to lose and difficult to regain. Information security as an industry has to understand this truth better than users, or we will fail them,” Soatok said. ®