I had a discussion yesterday with an acquaintance about some new infostealer leaks; I was talking about verifying whether the credentials are new or not (which was a silly thing to do, I should have known they weren’t in HIBP — for different reasons though) and I went to check if some of the passwords were contained in the HIBP corpus. The acquiantance asked something to the effect of, “why would you put the password into a web form, isn’t that leaking it further?”. This naturally reveals a common misconception regarding how breached password lookups typically work; both in HIBP itself, and competing commercial breached corpuses.

Breachforums, the infamous darkweb hacking and stolen data marketplace recently had another setback when its remaining primary administrators were arrested in France, shutting down yet another iteration of the marketplace. This closes another chapter in a site that has caused immeasurable damage to consumer and enterprise systems alike, facilitating the sale and trade of initial access, credentials, and leaked data.

Last week, a number of news outlets and organizations posted a story (which was then followed by ~ a retraction) of a darkweb password leak comprising 16B records. This immediately triggered a fervor around whether this was really a single leak, where it came from, who and how was exposed and so on – as always occurs around these things.

Not a deep one this week, just a funny story about something that happened to me on Tuesday, July 17. It’ll unfortunately be a short one; one that should probably be turned into a youtube short talking about it, but moving pictures scare me.

Following on the Microsoft and DoJ takedown of Lumma infrastructure, and this week’s news from Sophos discussing a single user hosting over 100 malware github repos, I wanted to spend some time looking into the specific vectors leveraged by some of these repositories. Recently, some of these attacks have included taking screenshots upon execution, which can give us a look into specifically what a user ran that triggered the RAT (Remote Access Trojan) and harvested data from their machine.

Recently, a well-known software and security services company posted a blog post titled “Password encryption: What is it and how does it work?” which immediately raises a great deal of discussion points as well as questions. So I figured I’d do a short writeup on the difference between encryption and hashing, and why we do not encrypt passwords; and why it’s dangerous to consider encrypting secrets, rather than hashing them.