gouki

That ‘magic’ number

May 2, 2007

[ad] 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 This is everywhere today. Every major news site has this ‘magic’ number in it. Digg.com had stories with more than 24.000 diggs (that’s actually the first time I see that many). In case you’ve been in a cave […]

Buffer

Cryptography, Linux Hacking› Read More

NMAP 4.20 released

December 8, 2006

[ad] This is just a simple warning to all NMAP users out there. If you’re registered on the announcement mailing list you already now this, otherwise, heads up. NMAP 4.20 has been released with something that looks promising. 2nd generation OS detection. The changelog is available here. Enjoy!

Buffer

Hacking Tools› Read More

New Firefox vulnerability – DoS and [DELETED] – UPDATED

October 31, 2006

[ad] This has just been posted to Bugtraq. For now you can test if your version is vulnerable, here. (will cause Firefox to close) So far Firefox 1.5.0.7 and 2.0 (Linux) have been tested, and both vulnerable. Firefox 1.0.7 (Win32), not vulnerable. The code used on the test page and the one submitted to Bugtraq […]

Buffer

Exploits/Vulnerabilities› Read More

CAPTCHA – Safer and better looking

July 17, 2006

[ad] CAPTCHA, acronym for “completely automated public Turing test to tell computers and humans apart” is used, most of the times at least, as an authentication mechanism. Not to prove your identity, but to do a much simpler job than that; to prove your a human. With the bad guys always a step ahead (which […]

Buffer

Hacking News› Read More

Month of Browser Bugs (MoBB)

July 4, 2006

[ad] Get ready for a complete month of fun with H D Moore’s Month of Browser Bugs. Quoting from Browser Fun blog: This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish […]

Buffer

Exploits/Vulnerabilities› Read More

Data Mining MySpace Bulletins

July 4, 2006

An interesting find made by John Hackenger surfaced today. For those of you familiar with MySpace, you’ll know that it uses ‘Bulletins’ to send a single message to multiple friends in your list. Because the message is sent only to the people you have authorized to be on your list, sometimes you get a feel […]

Buffer

Privacy, Web Hacking› Read More

Microsoft got Defaced

June 18, 2006

No, it wasn’t Microsoft.com, still, a very cool hack. Microsoft France suffered an attack by a Turkish group, going by the handle of TiTHacK. You can check TiTHacK ‘profile’ over at Zone-H. By the looks of things, he has been really busy today. At the time of this writing, the site still hasn’t been fixed. […]

Buffer

Web Hacking, Windows Hacking› Read More

Security Events Around the World

June 14, 2006

[ad] Following Darknet post regarding SyScan’06, I decided to make a little resume of the most important security events all around the world. Unfortunately we won’t be able to go, so all the pictures are welcome. (-: If there’s any missing do let us know. Recon 2006 – WWW – 16 June to 18 June […]

Buffer

Events/Cons› Read More

Spam – A Simple Guide To Keeping Your Inbox Clean

June 14, 2006

[ad] In my opinion, the best way to keep clean of spam is simple: The first rule is NEVER reply to spam, NEVER click the unsubscribe link and NEVER e-mail to the unsubscribe address. These are simply underhand tactics to get ‘active’ e-mail addresses. Some other tips to avoid getting spammed in the first place: […]

Buffer

Countermeasures, Spammers & Scammers› Read More

Fake Microsoft Patch – BeastPWS-C

May 31, 2006

[ad] If you receive a e-Mail alert of a new patch for your Windows XP OS, think again before opening the link present on the message. The spammed emails, which purport to come from [email protected], claim that a vulnerability has been found ‘in the Microsoft WinLogon Service’ and could ‘allow a hacker to gain access […]

Buffer

Malware, Windows Hacking› Read More

# Download from GitHub Releases # https://github.com/n3rada/MSSQLand/releases # For operators compiling from source # Requires Visual Studio with .NET Framework 4.8 SDK git clone https://github.com/n3rada/MSSQLand.git cd MSSQLand # Open MSSQLand.sln in Visual Studio and build for x64 Release

MSSQLand.exe <host> [options] <action> [action-options] # Connection test only (no action executed) MSSQLand.exe localhost -c token # Execute specific action MSSQLand.exe localhost -c token info MSSQLand.exe localhost:1434@db03 -c token info # Linked server chain traversal # Format: server:port/user@database or any combination # Semicolon (;) separates servers, forward slash (/) specifies impersonation MSSQLand.exe localhost -c token -l SQL01;SQL02/admin;SQL03@clients info # Configuration Manager actions (cm- prefix) MSSQLand.exe sccm-db.corp -c token cm-devices MSSQLand.exe sccm-db.corp -c token cm-scripts # CSV output for automation MSSQLand.exe localhost -c token --format csv --silent procedures > procedures.csv

Stolen credentials are now the single most reliable entry point into enterprise networks. Compromised credentials accounted for 22% of all confirmed data breaches in the period covered by Verizon’s extended credential stuffing analysis accompanying the 2025 DBIR, making it the most common initial access vector for the third consecutive year. Credential stuffing, the automated replay of stolen username-password pairs at scale, requires minimal skill, costs almost nothing to run, and succeeds at rates that make it economically rational to run campaigns against thousands of targets simultaneously. Multi-factor authentication (MFA) remains the single most effective control against it, yet deployment gaps persist across sectors that should know better.

The Credential Supply Chain

Credential stuffing depends on a supply chain that runs from infostealer malware through dark web markets to attack tooling. Malware families, including Lumma, RedLine, StealC, and Acreed, scrape browser password vaults, saved cookies, and autofill data from compromised machines. The harvested data is identical to what tools like DumpBrowserSecrets extract during post-exploitation: saved passwords, session cookies, OAuth refresh tokens, and autofill entries pulled directly from Chrome, Edge, Firefox, and every other major browser. Attackers package that raw material into structured files known as combolists, formatted as email: password pairs, cleaned of duplicates, and categorised by service type or geography before selling them on.

Combolists trade freely across dark web forums, Telegram channels, and dedicated cracking communities. The initial access broker ecosystem documented throughout 2025 has normalised validated credentials as a commodity. Fresh lists built from recent infostealer logs command significantly higher prices than aged database dumps because they have higher validity rates. The Verizon analysis found that only 49% of a user’s passwords across different services are distinct. That figure is what makes credential stuffing economically viable: breach one service, and there is roughly a 50% chance the same password works elsewhere. Across millions of accounts, that probability becomes near-certainty.

The tooling that drives attacks is openly available. OpenBullet and its successor, SilverBullet, are credential-stuffing frameworks originally released as penetration testing utilities, now standard tools in account-takeover (ATO) operations. They automate the full attack loop: loading combolists, rotating through residential proxies to dodge rate limiting and IP blocks, sending login requests that mimic legitimate browser behaviour, and logging successful hits. Attackers also buy and sell custom configuration files, known as configs, that define the authentication flow for specific target services. Unofficial marketplaces offer configs for specific banking portals, SaaS platforms, and enterprise single sign-on (SSO) providers alongside combolists and proxy subscriptions.

Three Case Studies from 2025

In late March 2025, coordinated credential stuffing attacks hit five major Australian superannuation funds simultaneously: AustralianSuper, Rest Super, Hostplus, Australian Retirement Trust, and Insignia Financial. As BleepingComputer reported on the coordinated attacks, attackers compromised over 20,000 accounts across the five funds, with four AustralianSuper members losing a combined AUD 500,000. The attackers used combolists from prior unrelated breaches. AustralianSuper offered MFA but did not enforce it at login, a gap that regulators identified as the primary enabling factor. Retirement funds make attractive targets because account balances are high, withdrawals are slow to reverse, and many members check their accounts infrequently.

In April 2025, VF Corporation notified customers of a credential-stuffing attack against the North Face online store. BleepingComputer’s coverage of the April incident confirmed that attackers used credentials from earlier unrelated breaches to access accounts and exfiltrate names, email addresses, shipping addresses, phone numbers, purchase history, and dates of birth. Payment card data was not exposed, as a third-party provider handles payment processing. The April attack followed a March incident that exposed 15,700 accounts across The North Face and Timberland. It was the fourth credential stuffing incident against VF Corporation brands since 2020. The pattern reflects a structural problem: tens of millions of customer accounts, high password reuse rates, and authentication systems not designed to detect low-and-slow validation campaigns.

The Change Healthcare breach in February 2024 remains the most consequential recent example of credential-based initial access. The ALPHV/BlackCat ransomware group entered UnitedHealth’s Change Healthcare subsidiary through compromised Citrix credentials on a remote-access portal without MFA, as confirmed in Congressional testimony from UnitedHealth’s CEO. The attackers moved laterally through the billing network and deployed ransomware that shut down payment processing for healthcare providers across the United States for weeks. The incident produced a $22 million ransom payment and an estimated $872 million in reported disruption costs in the first quarter alone. One set of valid credentials on one unprotected endpoint caused one of the largest healthcare-sector disruptions in US history.

Detection and Evasion Techniques

Modern credential stuffing campaigns specifically target the detection mechanisms most organisations have deployed. Attackers bypass velocity-based controls that flag high volumes of failed login attempts from a single IP by rotating through residential proxies. They distribute attempts across thousands of IP addresses so each one generates only a handful of requests, staying below alert thresholds. Third-party CAPTCHA-solving services handle challenge pages, some of which are automated via machine learning and others through human labour farms. Tools that emulate legitimate browser environments, including correct JavaScript execution, realistic mouse movement patterns, and authentic request timing, defeat browser fingerprinting.

The MITRE ATT&CK framework categorises credential stuffing under T1110.004 (Brute Force: Credential Stuffing). Defenders should monitor for several specific signals: unusual geographic distributions of authentication requests, spikes in failed logins spread across a wide IP range rather than concentrated at a single source, and successful logins from IP addresses tied to residential proxy services. Account logins from devices or browsers with no prior history on the account also warrant investigation. The Verizon analysis found that credential stuffing accounted for a median of 19% of all authentication attempts across SSO providers, meaning roughly one in five login attempts was not legitimate.

One underappreciated detection gap is the window between credential exposure and organisational awareness. Dark web monitoring tools available to enterprise teams in 2025 make it operationally achievable to track stealer log markets and paste sites for corporate email domains. Many organisations still treat that monitoring as optional rather than a core detection layer. Credentials circulate in combolists for months before the affected organisation becomes aware, and attackers exploit that window systematically.

Regulatory Response

The 23andMe case produced the most visible regulatory outcome tied directly to credential stuffing. A 2023 attack using combolists accessed approximately 6.9 million customer records. The UK Information Commissioner’s Office fined the company £2.31 million for failing to implement adequate security, specifically the absence of mandatory MFA for accounts holding sensitive genetic data. In March 2025, as Wired reported in its coverage of the 23andMe bankruptcy, the company filed for Chapter 11, with the credential stuffing incident and its downstream legal consequences cited as contributing factors. Regulators in the UK and EU now reference the case as evidence that weak authentication controls constitute a material governance failure, not a technical oversight.

CISA’s 2024 guidance on phishing-resistant MFA explicitly identifies credential stuffing as a primary threat driver. It recommends hardware security keys and passkeys using the WebAuthn standard as the only controls that fully eliminate the credential reuse vector. SMS one-time passwords and Time-based One-Time Password (TOTP) codes provide partial protection but remain vulnerable to adversary-in-the-middle (AiTM) interception, a technique increasingly applied against accounts whose value justifies the extra effort.

CISO Playbook

Phishing-resistant MFA enforced across all externally facing authentication endpoints, including VPN portals, SSO providers, and remote desktop services, eliminates the primary path for exploitation. Password screening against known-breach corpora at login and account creation, using services such as the Have I Been Pwned API, removes credentials already circulating in combolists before attackers can validate them. Rate limiting and progressive account lockout on all authentication endpoints, including API login flows that teams frequently overlook, cuts the volume of attempts that reach the validation stage.

Bot detection that analyses behavioural signals, including request timing, device fingerprint consistency, and session cookie behaviour, provides a second line of defence against campaigns that have already bypassed IP-based controls. For organisations on legacy identity infrastructure, a full platform replacement is not the immediate priority. Enforcing MFA on the externally facing authentication layer, regardless of what sits behind it, addresses the highest-risk exposure first. The Change Healthcare incident is the clearest available proof of what one unprotected endpoint costs at scale.

There is no technical solution that eliminates credential stuffing entirely. Password reuse persists, infostealers continue operating at scale, and combolists will keep growing. The practical objective for defenders is to raise the cost of a successful attack on their specific environment above what attackers can profitably tolerate, and to detect the attempts that do succeed before they compound into something worse. Given that 22% of breaches in 2025 started with a valid credential, organisations that treat authentication hygiene as routine maintenance rather than a strategic priority are already in the breach statistics.

Frequently Asked Questions

What is credential stuffing, and how does it differ from brute force?

Credential stuffing uses real username-password pairs stolen from previous breaches and automatically replays them against other services. Brute force generates password guesses from scratch. Stuffing is faster, quieter, and far more effective because it exploits password reuse rather than attempting to crack unknown passwords. A combolist of 10 million verified credentials will outperform any brute-force dictionary attack against the same target.

What is a combolist, and where do attackers get them?

A combolist is a structured file of email-and-password pairs compiled from data breaches, infostealer malware logs, and dark web markets. Attackers source them from initial access broker forums, Telegram channels, and dedicated credential marketplaces. Fresh lists derived from recent infostealer campaigns are the most valuable because their owners have not yet rotated the credentials.

How do attackers bypass rate limiting and CAPTCHA during credential stuffing?

Attackers use residential proxy networks to distribute login attempts across thousands of IP addresses, keeping per-IP request volumes below detection thresholds. CAPTCHA challenges are handled by third-party solving services, either via automated machine-learning methods or by human labour farms. Tools such as OpenBullet and SilverBullet emulate realistic browser behaviour, including JavaScript execution and mouse-movement patterns, to evade browser fingerprinting controls.

Does multi-factor authentication stop credential stuffing?

Phishing-resistant MFA using hardware security keys or passkeys under the WebAuthn standard fully eliminates the credential reuse vector. SMS one-time passwords and TOTP codes reduce exposure but remain vulnerable to adversary-in-the-middle interception. The Change Healthcare breach, which resulted in $872 million in disruption costs, occurred on a Citrix portal with no MFA. Enforcing MFA on every externally facing authentication endpoint is the single highest-impact control available.

What are the most common targets for credential stuffing attacks?

Enterprise SSO portals, VPN gateways, e-commerce account login pages, financial services platforms, and healthcare provider systems are the most frequently targeted. Retirement and superannuation funds have emerged as high-value targets in 2025 because account balances are large, members check accounts infrequently, and MFA enforcement has historically been optional rather than mandatory.

How can organisations detect credential stuffing attacks in progress?

Key signals include spikes in authentication requests distributed across a wide IP range rather than concentrated at a single source, successful logins from residential proxy IP addresses, account access from devices or browsers with no prior history, and unusual geographic distributions in login activity. Continuous monitoring of dark web stealer log markets for corporate email domains provides early warning before credentials are actively exploited. The Verizon 2025 DBIR found that credential stuffing accounts for a median of 19% of all SSO authentication attempts, so baseline volume analysis is also a viable detection layer.

This article covers techniques used by both attackers and defenders for educational and research purposes. The tools and marketplaces described are documented by security researchers and law enforcement agencies.

Usage: DumpBrowserSecrets.exe [options] Options: /b:<browser> Target Browser: chrome, edge, brave, opera, operagx, vivaldi, firefox, all (default: system default browser) /o <file> Output JSON File (default: <browser>Data.json) /all Export All Entries (default: max 16 per category) /? Show This Help Message Examples: DumpBrowserSecrets.exe Extract 16 Entries From The Default Browser DumpBrowserSecrets.exe /b:chrome Extract 16 Entries From Chrome DumpBrowserSecrets.exe /b:firefox /all Export All Entries From Firefox DumpBrowserSecrets.exe /b:brave /o Output.json Extract 16 Entries From Brave To Output.json DumpBrowserSecrets.exe /b:all /all Extract All From All Installed Browsers

name: Heisenberg Health Check on: pull_request: paths: - "**/poetry.lock" - "**/uv.lock" - "**/package-lock.json" - "**/yarn.lock" - "**/requirements.txt" - "**/go.mod" permissions: contents: read pull-requests: write issues: write jobs: deps-health: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Detect changed manifest id: detect run: | git fetch origin ${{ github.base_ref }} --depth=1 LOCK_PATH=$(git diff --name-only origin/${{ github.base_ref }} | \ grep -E 'poetry.lock$|uv.lock$|package-lock.json$|yarn.lock$|requirements.txt$|go.mod$' | head -n1 || true) echo "lock_path=$LOCK_PATH" >> $GITHUB_OUTPUT - name: Heisenberg Dependency Health Check uses: AppOmni-Labs/heisenberg-ssc-gha@v1 with: package_file: ${{ steps.detect.outputs.lock_path }}

That ‘magic’ number

NMAP 4.20 released

New Firefox vulnerability – DoS and [DELETED] – UPDATED

CAPTCHA – Safer and better looking

Month of Browser Bugs (MoBB)

Data Mining MySpace Bulletins

Microsoft got Defaced

Security Events Around the World

Spam – A Simple Guide To Keeping Your Inbox Clean

Fake Microsoft Patch – BeastPWS-C

Most Viewed Posts

Search

Recent Posts

gouki

Footer

Most Viewed Posts

Search

Recent Posts

Tags