[BreachExchange] Identity thieves used stolen data 9 minutes after it was posted online

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 26 15:19:33 EDT 2017


When personal data is dumped online, it can take just nine minutes for bad
guys to start using it, according to a report from the Federal Trade

Over the course of three weeks in April and May, the FTC analyzed what
happens when hacked personal data is shared online.

Researchers created 100 fake consumers and gave them fictitious personal
information like names, emails and passwords, and either a credit card,
Bitcoin wallet, or online payment account. Then they posted the collection
of data on a site popular with leaking stolen credentials, once on April 27
and a second time on May 4.

According to Dan Salsburg, acting chief at the FTC's Office of Technology
Research and Investigation, the the FTC observed two types of identity
thieves -- those who want to test credit cards' authenticity to resell
them, and those who tried making big purchases on things like clothing or

"There are people laying there in wait, ready to pounce on stolen
credentials," Salsburg told CNNTech.

Nine minutes after the publication on May 4, thieves began using the data
-- a Twitter (TWTR, Tech30) bot picked up the posting, which could have
helped speed up hacking attempts. On April 27, it took one and a half hours
before the fake credentials were used.

All told, there were over 1,200 attempts to access accounts belonging to
the fake consumers. That includes a total of $12,825.53 attempted credit
card purchases and 493 attempts to access emails.

There are ways you can prevent cybercriminals from using your data, even if
it's published online. Salsburg said some of the test accounts were
protected by two-factor authentication, a security feature that requires a
second code in addition to your password (usually texted to your phone) to
log in to your account.

It's not a perfect solution -- if your phone gets stolen, thieves could
have access to your backup codes. But it is a simple and effective security

Identity thieves did not access the fake accounts with two-factor
authentication enabled.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170526/b7808d2f/attachment.html>

More information about the BreachExchange mailing list