How your passwords can end up for sale on the dark web

Passwords

San Francisco (CNN Business) — Last month, Zoom joined a long list of companies whose user data has fallen prey to hackers. More than half a million account logins for the hugely popular video conferencing platform were discovered on the dark web, either offered for free or for next to nothing.

While some users may be tempted to blame the company for this, it’s actually part of a much bigger problem that involves hackers, a lawless corner of the internet and our own failure to choose better passwords.
Here’s how your personal info ends up on the dark web — and what you can do to protect yourself.

The password problem
Hundreds of millions of accounts are compromised every year in data breaches through phishing, malware and other types of attacks. More than 11.6 billion records have been breached since 2005, according to a running tally by California-based nonprofit Privacy Rights Clearinghouse.

Those accounts are often then dumped on hacker forums or put up on the dark web, a collection of websites that can only be accessed by a special type of browser called Tor (it stands for The Onion Router, and dark web sites end with .onion). Originally created by the US Navy in 2002 to enable anonymous online communication, the system’s enhanced encryption and anonymity means it’s often used for illegal activity, including drug sales.

Hackers buy databases of stolen passwords and bombard other websites with them until one works, a fairly common technique known as credential stuffing. They also run variations of the password with different combinations, according to Beenu Arora, CEO of Atlanta-based cybersecurity firm Cyble. If one of those passwords works on another service — a bank, for example — it can then be posted or sold on the dark web again.

“That happens a lot,” said Bruce Schneier, a cybersecurity expert and a fellow at Harvard University’s Berkman Center for Internet and Society. “There’s a big data breach, and then someone will try the same username and password at a bank, at Google. You just try it. A lot of us reuse passwords, so you might get lucky.”

Credential stuffing was likely how hackers managed to gain access to over 500,000 Zoom accounts that they then posted on the dark web, according to Cyble, which first flagged their availability. A Zoom spokesperson confirmed to CNN Business that its “ongoing investigation” suggests “bad actors” relied on the credential stuffing method.

“It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere,” the spokesperson said in a statement.

Zoom accounts may have been made available for barely a penny each, but that’s not always the case — especially when more sensitive or detailed information is compromised. Arora said certain passwords on the dark web, particularly those that provide access to financial or medical information, can sell for as much as $1,000 apiece.

The main source of vulnerability, experts say, is that people tend to use the same password across multiple accounts or don’t change their passwords even after they’ve been breached. Microsoft estimates that around 73% of passwords are duplicates.

“The weakest link is human behavior,” said Kiersten Todt, a former cybersecurity official in the Obama administration and currently managing director of the Cyber Readiness Institute, which advises businesses on how to secure their networks.

“We often think that a lot of this stuff requires a lot of deep technical engineering and science, but really they’re just algorithms” that exploit our tendency to use easy-to-remember passwords in multiple places, Todt added.

Find out if you’ve been hacked
There are some companies that offer free dark web scans, which allow you to submit information, including your social security number, credit card information and phone number, if you suspect any of those have been hacked. The companies will then scour the dark web for you and let you know if they find anything.

But these scans aren’t foolproof either. “There is no way for a company to search the entire dark web,” researchers at antivirus software provider Norton wrote in a blog post. “A scan can uncover when your data has been exposed. But it can’t find every instance of this.” If you’re not inclined to go through that more time-consuming process, and don’t want to give out some of the same sensitive information you’re worried about having been exposed in the first place, several sites offer services that simply let you enter your email address and tell you within seconds if it was part of a known breach.

Google (GOOGL) in December added a new update to its Chrome browser that warns people if their usernames and passwords may have been breached. Cyble touts its own service, a website called AmIBreached.com, where users can enter their email IDs to find out if and when it was compromised. Other antivirus providers such as Avast have similar services. Schneier said he makes his Harvard students check their details on haveibeenpwned.com.

Curious, and a little concerned as I realized I’d never checked before, I ran my personal email address through a few of these services. After an anxious few seconds when my entire online life flashed before my eyes, I saw the dreaded red exclamation-point-within-triangle symbol and discovered I was breached at least twice in 2017.

I definitely don’t know how many sites I’ve created logins for in the nearly two decades I’ve been using the internet, but as I’ve found out, all it takes is one bad password from any service, however forgettable. It turns out the culprits were 8tracks, a curated playlist service I used for a few months as a teenager before Spotify became a thing, and another through Indian travel booking website Yatra.com.

I don’t remember the last time I used either site, and thankfully I have definitely changed my passwords since 2017.

How to protect yourself
Once your account has been compromised, there isn’t much you can do short of changing your password.
“So my password was stolen, is there any way I can go to every criminal on the planet, to their computers, and delete my name? No,” said Schneier. “Change your password.”

If you haven’t been breached, on the other hand, you can preempt several types of attacks by simply using less common passwords or using different passwords for each of your accounts.

One easy fix, Todt says, is using “pass-phrases” — full sentences that are at least 15 characters long rather than just a single word or word-number combination. Sports teams are fair game too, she said, if you log in using something like ‘My favorite sports team is the San Francisco Giants’ rather than just ‘SanFranciscoGiants.’

And for those unable or unwilling to remember dozens of different passwords, Todt recommends password managers such as 1Password, LastPass and Dashlane — online services that can encrypt and store multiple passwords so you don’t have to keep typing them and can automatically prevent them from being reused across accounts.

Even those services can sometimes be vulnerable, however — LastPass was breached in 2015, when hackers gained access to email addresses, password reminders and encoded versions of passwords.

Users can also shore up their passwords by adding another hurdle between themselves and login on many sites. Multi-factor authentication, also known as two-factor authentication, requires an additional external credential along with your password — such as your fingerprint, a frequently-changing number combination that you get from an app, or a one-time code that may be emailed or texted to you.

Todt says users have a much greater ability to stymie hackers than they realize.
“It’s actually a source of empowerment, if you recognize that it’s in your power to have strong authentication,” she said. “So you have it in your power to prevent and thwart most types of common malicious attacks.”