In the past year there have been many major data breach incidents in which usernames, email addresses and sometimes even passwords were compromised. Some of these incidents included big organizations with millions of usernames leaked.
According to the 2014 Trustwave Global Security Report, "The volume of data breach investigations increased 54 percent over 2012" and "45 percent of data thefts involved non-payment card data".
In my personal blog I wrote a post describing how I obtained the ability to extract email addresses hosted on Google's email service Gmail, including email addresses belonging to corporates that externalized their email management through Google Apps for Business.
After reading my blog post people questioned how important email addresses and usernames really are. "Why is it such a big deal when email addresses or usernames are stolen?" is a question I get asked fairly frequently. This post will attempt to answer that question.
Usernames, Emails and Phone Numbers
In most applications today, we login by providing two identifiers – a username and a password. The use of an email address or phone number as a username has been adopted by almost every big website out there, and by all of Alexa's Top 10 sites, including Google, Facebook, Yahoo, Microsoft Live and more.
The common usage of email addresses as usernames sometimes leads end users to think that the sign-on for any given site is a "single sign-on" and enter the password for their email account. This results in the re-use of credentials and if that third-party site is hacked, the attacker would have access to not only that account, but the user's e-mail account as well.
A username can also be used to contact the user by e-mail or phone, supporting malicious activities such as phishing attacks and spam campaigns.
Username leakage is permanent, Password leakage is not
"To help ensure customers' trust and security on [e-commerce site], I am asking all users to change their passwords." This quote is taken out of an email I received from a big e-commerce site in May 2014, following a data breach.
At some point in time, every computer user is going to be asked to replace their password. Can you imagine getting the following message when usernames have been leaked?
"To help ensure customers' trust and security on [e-commerce site], I am asking all users to change their email addresses."
How can you change your email address when almost any other website out there identifies you the same way? Let's say your email address has been leaked, are you going to change your Google, Facebook and Windows Live usernames?
Username leakage is cross-site
As I mentioned earlier, your email address is being used for authentication everywhere. If it has been exposed, it can be used to access your Google account, Facebook account or trying to hack into your smartphone via your Apple Id or your Google Play account name.
What damage can be done by stockpiling usernames?
Different attack vectors can be used depending on whether the username is also a means of contacting a user (email/phone). The following figure lists ten possible attack vectors (coloring has nothing to do with severity in this case). The ones colored in purple can be launched regardless of the username's structure, while the ones colored in blue are cases in which the username is also an email or a phone number:
Attack vectors available to attacker who obtained usernames.
Bruteforce and dictionary attacks
The log-in process is completed by sending a username and a password to the application. If attackers obtain a username, they can then launch Bruteforce and Dictionary attacks on a given username to try and determine the password:
- Bruteforce attack – the attacker tries all possible password combinations.
- Dictionary attack – the attacker uses a large list with thousands of possible passwords that are commonly used as a password.
A Bruteforce or Dictionary attack is successful when a username-password combination which results in a successful login is found. This allows for the full takeover of an account.
Note that in some cases a "security-lockout" mechanism is implemented, which locks a username from authenticating after a threshold of failed login attempt was reached.
Sometimes an attacker just wants to hack as many accounts as possible with the least amount of effort. For such cases, and in case a "security-lockout" mechanism is implemented, reverse-bruteforce attacks might be the chosen attack vector.
Assuming a site only allows five failed login attempts before locking out an account, the attacker chooses the four most common passwords which comply with the site's password policy. If we use SpiderLabs' analysis based on 2,000,000 leaked passwords, such passwords could be: "123456", "123456789", "1234" and "password".
Now, for every given password in the above list, we are going to try every username we've obtained. The bigger the list of leaked usernames, the bigger the number of fully hacked accounts will likely be.
In this case, if a site only allows five failed login attempts before locking out an account, the attacker chooses five unlikely passwords and tries all of them for every leaked username.
The result would be the locking of all accounts potentially rendering a website completely useless. Some websites automatically unlock accounts after a predefined period of time, but the attacker can repeat the attack endlessly to bypass such countermeasures and continuously lock the accounts again.
Obtained usernames can be used to attack non-web based systems. This is often the case where the obtained usernames are also used for authentication in a domain network.
A discovered username can be used to launch attacks on VPN gateways, FTP services and remote administration interfaces such as SSH and Remote Desktop.
Reputation Damage to the Brand Name (Bad Press)
This attack vector is fairly self-explanatory. The attacker can just dump all of the leaked information in services such as pastebin.com, and the media would take care of the rest.
It's not so rare to see a story of stolen usernames turn into a headline to the effect of "Company XY hacked, 300,000 accounts compromised!" with no regard to whether or not any accounts were actually fully compromised. The combination of a company's name with the word "hacked" in a headline alone can make a stock drop, lead many fearful customers to contact the customer service personnel, or even lead to breach-related lawsuits.
Attack Other Applications
At the beginning of this article I've mentioned that username leakage might be "cross-site." If the compromised information is used to identify you in other applications, these applications are also subject to some of the attacks mentioned throughout this post.
Now, we'll move on to discussing the attacks that are made possible if the usernames are also email addresses or phone numbers.
Phishing and Vishing (Voice Phishing)
Usernames are half of full account takeover. The other half is the password. Attackers can use email addresses and phone numbers to contact users and trick them into giving their passwords away.
Let's discuss the following hypothetical scenario:
- An attacker obtained a million email addresses from a site
- The attacker dumps the information into pastebin.com and informs the media of the hack
- The attacker contacts the users with sophisticated email messages claiming to be from the site
- The phishing message informs users of the data breach and urges them to change their password by following a link
- Some of the users that verified the breach on the online media choose to follow the link which leads them into a phishing site – masquerading as the actual site
- The users are asked to enter their existing password before creating a new one
- The attacker can now use the information to completely takeover the account on the hacked site
Spam lists and Spam Campaigns
Maintaining a list of emails can be very profitable for attackers. Such lists can be sold to spammers for money. The attackers may also choose to offer spam services themselves.
In a spam campaign, the leaked usernames would be used to contact users by email or phone in order to present commercials or spread malware.
An attacker may sometimes choose their target more carefully as targeted attacks on specific users might be harder to detect and investigate, and some targets are more valuable than others.
Let's say that the attacker notices the following email address in the list of exposed emails:
Using common logic, the attacker understands that compromising the computer used by this specific user is invaluable. He then attempts to create targeted phishing attacks only on this selected user. If successful, the attacker would be granted access to an organization's key assets.
"Forgot Your Password?"
Sometimes the easiest way to hack an account is to utilize the "forgot password" recovery process. Forgot password pages are most often the weakest link in a site's authentication schema.
You are often required to provide your username, email or phone number, and then answer a few personal questions. Such a question may be "what is your mother's maiden name?", which is far easier to guess or obtain than your actual password.
Completing the "forgot password" process successfully often results in full account takeover.
As mentioned before, such attacks could also be launched on other websites in which your leaked contact information is being used as your username.
Exploit Other Vulnerabilities
Some web-related vulnerabilities require the user to click a malicious link on the website. Among such attacks are OWASP TOP 10 attacks such as cross-site-scripting and cross-site-request-forgery.
Exposed emails can be used to contact users and ask them to access the site, activating and enhancing other attacks.
Different parties (such as governments) aim to create the most complete information base for their attacks. Adding usernames and contact information to their arsenal is something that should also worry the reader.
Usernames, email addresses and phone numbers are invaluable pieces of information for attackers. They can be used in a large variety of attacks which in some cases result in full account takeover.
When it comes to username leakage – size matters. The bigger the list of exposed username the more damage can be done by a malicious entity.