There’s something about discounts. They make us feel a certain way and we sure love it. But what if we tell you that the stuff on discount are your credentials?
There you are, trying out the weirdest combination of passwords to avoid getting hacked and here, you’ve no clue about people selling your account credentials for less than a dollar!
How, you wonder? Sit back. Relax. We’ll tell you.
Have you ever come across those ads or forwards where people are willing to sell Netflix, Amazon Prime and other such accounts for way less than the amount you pay for a PUBG Royal pass? (FYI, it costs Rs. 600) Sounds fishy, huh? It did to us too. And since we’re curious that way, we decided to do some snooping.
Back in 2018, while we were looking around for stuff on the internet we could amaze ourselves with, we came across a certain project by college students. These guys made use of the automation of haveibeenpwned.com to check whether their accounts have been hacked. This site uses public data from a breach and lets you know if you’ve been a victim of something you weren’t even aware of.
Go ahead. Try it. We’ll be right here when you’re back.
Now how do hackers go about doing this? Sit back and relax again. We’ve got a lot to tell you.
Once a hacker compromises a website, he uses the data obtained (usernames, email ids, passwords) to hack other accounts with the same data.
For example, on a fine sunny day you signed up on joker.com using a certain email ID and password. On the same dark night, you created another account on batman.com using the same credentials cause lets be real here – you’re lazy and forgetful.
Let’s assume somebody decided to play God and hack joker.com just for the thrill of it.
Now because joker.com was a vulnerable website and got compromised, ‘somebody’ now possesses all of data belonging to joker.com which also includes your credentials.He also got a hold of your account at batman.com because you used the same data on that site while creating an account.
And, if you’re naive enough to use the same credentials everywhere, feel free to bid goodbye to your privacy. It’s no less than a virtual apocalypse for you.
What’s a hacker going to do with all of this stolen data? Well, they’re good at this, so they won’t do anything for free, right? They convert all of it into credential dumps and sell it on websites like www.nulled.to. Another place where you can find these credential dumps is our very own Twitter. An API is used to collect data from Pastebin and is posted on a page called @dumpmon
After this, even a noob could hack into your account if he’s equipped with free proxies and automated tools like Netflix checker, Spotify checker, Multi Account Checker (Storm) and our personal favourite – Account Reaper.
These softwares send requests to compromised accounts using different proxies and check whether they’re being allowed to successfully log into them. Once let in, the list of these accounts can be exported and converted into specific credential dumps for apps like Instagram or Netflix.
Also, Account Reaper is our favourite because it has a module mechanism. You could use just a single credential that you’ve managed to beg/ borrow/ steal and check if it is being used for any other accounts. The more the merrier, eh? Based on the dump you have, which could be either usernames or email IDs, you can load specific modules and just one click will get you going! Another amazing feature it has are application specific modules. For instance, if you want to check only for Spotify accounts, you can go ahead and enable the Spotify module on Account Reaper. So if you want to set the mood right with some songs while you’re looking for vulnerable websites, you need not worry anymore. Your ‘free’ Spotify account got your back!
After that, it’s all just good business. People sell accounts they’ve managed to get credentials of for very cheap rates. You tried so hard and got so far, but in the end it doesn’t even matter how complex your password is or how secure the website is. If you use the same password for multiple websites, you could unintentionally be allowing people to leech onto accounts that you’ve actually paid for. In order to tackle this, some websites use captcha on their login page. Prevention better than cure, right?
We all wanted to Netflix and chill. But only some of us are doing it the right way.
Be safe. Virtually too.
Here’s some tips from us on how you could avoid all of this –
- If you haven’t already, go to haveibeenpwned.com and check if your accounts have been compromised
- Turn on 2 step verification
- Don’t use same password everywhere. DO NOT.
- Don’t sign up for every website you visit
- Use a password changing cycle to ensure you’re safe
- Keep reading our posts to be updated about Cyber Security 😉
- Keep an eye out for any public breaches on the websites you have an account on.
Important information thank you