In a world where a constant flow of breaches are in the news, it’s important to stay on top of compromised accounts for cloud services and respond quickly. Even more so for an organization, where the compromise of one user account can lead to bringing an entire organization down. If a user signs up with their work email address to a third party cloud service and uses an identical or similar password to the one they use for work, an organization could easily fall prey to credential stuffing attacks. Such attacks can involve using compromised credentials anywhere and everywhere they might grant access, including your organization’s perimeter. Fortunately, security expert Troy Hunt has an excellent free service called haveibeenpwned.com which helps mitigate this. Although the service is widely used by individuals, it’s perhaps less known that you can setup alerts for your organization’s domain, allowing you to receive an email any time a breach of an account belonging to one of your users is detected. This can be invaluable to an organization defending their network in a modern threat landscape.
The haveibeenpwned.com service monitors information that has been dumped to publicly facing content sharing websites like Pastebin. These services are frequently used by attackers to anonymously share information and are often the first place a breach appears. If you want to do a quick check for your own email address to see if a breach has been detected for your email address, you can do so easily at haveibeenpwned.com. You can also easily setup alerts for your own account, so that you can proactively mitigate breaches and change your password. If you want to setup alerts for all email accounts in your organization’s domain, you’ll need to do a few extra verification steps, but it’s not difficult. In order to verify you own the domain, the site offers four options. You can verify by email, by creating a DNS TXT record, by adding an HTML meta tag to your website or by uploading a .txt file to your website. If you use the email option, you need to have access to one of the following email addresses for your organization:
(Replace example.com with your organization’s domain name.)
Once you verify you control the domain, you will be provided a file which you can download which contains any breached accounts. The file can be downloaded in HTML, xlsx or JSON formats. This file will contain accounts in which the password was compromised, but also will list any email addresses that were exposed without a corresponding password.
There are many dubious paid services out there claiming to monitor the dark web for compromised accounts, but haveibeenpwned.com is free and comes from a reputable source. The creator of the service, Troy Hunt, is well known in the security community and is an international speaker on web security.
Let’s look a bit closer then on exactly what threats this service can help an organization mitigate. Going into more detail, let’s imagine that John in your HR department creates an account with a popular recruiting website. Now John has hopefully received security training at your organization and has been told not to reuse passwords. But today he forgot. John signs up with his work email address to the recruiting website and uses the same password that he uses for his Active Directory account on your organization’s network. John thinks his password is unbreakable anyway, because it’s 20 characters long and uses all character sets. In fact, John boasts that he actually uses a passphrase instead of a password. What hasn’t occurred to John, is what might happen if one of the sites he’s reusing this password on is compromised. A month later, the recruiting website is compromised due to a vulnerability. Not only that, but the recruiting site was storing passwords insecurely – in plaintext. (The passwords were not hashed/salted). The attacker now has the list of usernames and passwords and not only uses them to access Bob’s data on the recruiting site, but eventually on your network, as well. The attacker notes the domain name from Bob’s work email address and starts to do some reconnaissance on the perimeter of your network. One of the external resources the attacker discovers, is perhaps a VPN server. The attacker tries Bob’s credentials against the VPN and suddenly is on your network. With any luck, the attacker may be able to exploit additional internal vulnerabilities and gain complete control of your network. This could result in a mass ransomware attack, or loss of sensitive data, among many other possible outcomes. This is of course a fictional worse-case scenario, but is completely plausible and quite similar to things that have happened to organizations in the real world.
The attack above could potentially be mitigated by using haveibeenpwned.com, however. If you have alerts setup and receive an alert for Bob’s account as soon as the recruiting site breach is detected, it may possible to work with Bob to mitigate the situation quickly. You may be able to even help Bob secure his data on the compromised recruiting website before it is breached, or at least assess the damage and respond accordingly. In addition, Bob’s Active Directory password that grants VPN access to your network can be changed immediately. Logs can also be checked in an attempt to determine if the credentials have already been used to breach the network.
As you can see, detection using haveibeenpwned.com is an important layer of security that can easily be setup by any organization and potentially result in a huge return on investment.