[BreachExchange] AdGuard resets all user passwords after credential stuffing attack

Destry Winant destry at riskbasedsecurity.com
Thu Sep 20 22:32:46 EDT 2018


https://www.zdnet.com/article/adguard-resets-all-user-passwords-after-credential-stuffing-attack/

AdGuard, a popular ad blocker for Android, iOS, Windows, and Mac, has
reset all user passwords, the company's CTO Andrey Meshkov announced
today.

The company took this decision after suffering a brute-force attack
during which an unknown attacker tried to log into user accounts by
guessing their passwords.

Meshkov said the attacker used emails and passwords that were
previously leaked into the public domain after breaches at other
companies.

This type of attack --using leaked usernames and passwords to hack
into accounts at other services-- is known as credential stuffing.

The AdGuard CTO said attackers were successful in their assault and
gained access to some AdGuard accounts, used for storing ad blocker
settings.

"We don't know what accounts exactly were accessed by the attackers,"
Meshkov said. "All passwords stored in AdGuard database are encrypted
so we cannot check whether any of them is present in the known leaked
database. That's why we decided to reset passwords of all users."

The company says it implemented the Have I Been Pwned API into their
existing infrastructure so that when users will configure a new
password, the AdGuard system will warn them if they're using passwords
leaked at other services.

Meshkov said AdGuard now also uses stricter rules for choosing
passwords, and they also intend to support two-factor authentication
in the future.

The AdGuard exec also revealed that the company found out about the
attack after its rate-limiting systems detected the numerous failed
login attempts during the password guessing phase of the attack.

Most of the attacks were stopped, but some were successful, which
usually tends to happen when attackers get lucky and guess the proper
combination during the first login attempts.

It is unclear what the attackers were attempting to do with such
low-value accounts.


More information about the BreachExchange mailing list