After recently reviewing my privacy settings for Microsoft, I noticed something that was both alarming and reassuring.
It is always a good idea to review your privacy settings every year or so when dealing with companies on the internet. You never know if they’ve added something new or changed something without telling you.
I was recently doing this on Microsoft’s account page. Like most big tech companies, they don’t make it easy to see everything on one page, so you have to go hunting around lots of different screens to find what you really want.
I eventually came across this page, and it was initially quite alarming:
I’ve logged in from where? Brazil? I don’t remember that holiday… When I dug a little deeper:
Ooer. In the past few days, login attempts to my account have been made (thankfully all unsuccessfully) from the following locations:
Brazil, China, Egypt, India, Iran, Italy, Malaysia, Mexico, Norway, Russia, Slovenia, Thailand, Vietnam, and Yemen.
What is happening here is likely a hack known as credential stuffing. This is when an attacker tries various combinations of email addresses or username and guessed passwords.
In this case the attacker is using IMAP, meaning they want to gain access not to my whole account, but just to my emails.
How is your login leaked?
Login credentials refers to anything that is used to log into your account. Usually at least a username, an email address and a password.
Your email address is probably already public knowledge. If you use a permutation of your name or username, it’s public. If you’ve ever received a spam email message, it’s public. There is nothing you can do about it now, and that is a fact of life on the web. Once something goes on the internet you can never take it down.
Your password may or may not be public. A password will end up being public knowledge if:
- A service you use does not have sanitary password† storage and gets hacked
- A service you use does not have sanitary password† storage and routinely lets its employees see your password
- It is an easily guessable password like 1234, qwerty, or a common name‡
† Unsanitary password storage can be anything from weak hashing, to a lack of salting, to just storing your password in a plain old text file
‡ This is not an exhaustive list of what is an easy to guess password. A good rule of thumb is if it did not take you some effort to remember it, then it’s probably easily guessable.
In some cases, if your password is leaked together alongside your email address, that will tell an attacker everything they need to know to login to, and successfully hack, your account.
Thankfully, as companies become more aware of secure password storage, the likelihood of credentials being leaked starts to decrease. But please don’t be lulled into false sense of security. Such hacks of companies you have entrusted your data to still happen far more often than they should.
What does an attacker to with public credentials?
I should state here that credential stuffing is very rarely a targeted attack – in other words it is indiscriminate. The hackers are not out to get you at a personal level. They’re out to get anyone they can. For most people, threat actors only exist to take advantage of weak security. It’s cheap and so offers good returns. The vast majority of people will never be direct victims of targeted hacking by hacker collectives, industrial spies, or foreign nations.*
*And yet people routinely hand over data and control of their lives to Silicon Valley startups all the time, which totally baffles me. Makes you wonder who the real threat is.
If hackers know an email address and they know a password, attackers will “stuff” these passwords into login forms. There is no real intent there, it’s just to see if the login is a success. They might get lucky, they might not, but it is cheap to try.
That’s why you can see so many examples of failed login attempts. But as long as the attempts did not succeed, everything is golden.
Why only go after IMAP?
In the example above, all of the failed attempts have been made on “IMAP”.
IMAP is a protocol used for email. Like HTTP is used for HTML pages, IMAP serves you emails. If an attacker ever did get access, they wouldn’t be able to edit the account information, but they would see the email. But if it doesn’t give full access, then why go after IMAP in the first place?
Well, every email service has the same IMAP interface, so it is far easier to automate stuffing attempts across many services.
Also, I don’t get a 2FA login notification every time I log in to IMAP. Software like the email app on my phone would constantly trigger these notifications, which would make the security unusable. So, it isn’t turned on. This makes it much more likely that an attacker would be able to get in if they had the right credentials. And once they do, they would be able to see any login warning emails and erase them before they get synced to my inboxes.
IMAP would also let an attacker scrape all my contacts. They could then use this info to send spam to my contacts. They could send phishing emails pretending to be me or someone I know, to trick people into clicking on links or downloading bad attachments.
Thanks to my 2FA it would take additional effort to gain access to my account controls to fully take over, but I doubt that is the real aim. It is far more profitable for an attacker to just silently use an email account, hoping they never get noticed. For example: to take over other accounts.
Having email access would allow taking over any social media accounts that used that email address for account recovery. The attacker clicks “reset password”, enters the email address they now can access, and then they use the link in the recovery email sent. Now the attacker now has full control of a social media account. If it has lots of followers, it is now a lucrative hub to use to spread all manner of nasty content.
If you want to take extra measures to protect yourself here is some advice:
Unique passwords across your logins. A different password for every login you own means if one gets leaked, it can’t be used on any of your other accounts. It also means that after a hack you must only spend effort changing a single password.
Unique passwords different from every other password ever used by anyone is helpful. If someone else happened to have the same password as you, an attacker could try different combinations of email adresses and entries from a dictionary of leaked passwords. Credential stuffing won’t work if your password hasn’t been seen in public before.
Use a password manager to make it easier to remember long, unique, random passwords. I use software called KeePass, but even a plain old physical notebook is better for most people than using poor quality passwords.
Extra Security Options
2-Factor authentication is a must for important accounts that serve as your single point of failure. Non-SMS** based 2FA requires you to have a physical token or device to log in as well as your password. Pick any 2 from something you have, something you are, and something you know.
In case a hacker does make it past the login and wants to gain access to your account controls, 2FA would require an attacker to steal a physical device from you, like a phone. This means attackers from halfway around the world are out of luck.
**SMS based 2FA is not recommended as it can be bypassed if your mobile phone company doesn’t practice good security.
If social media sites let you, turn off the email address shown next to the “recover password” link. A good secure service should always ask you to enter it manually rather than filling it out for you. That increases the work an attacker must do to guess which email address belongs to you.
I praise Microsoft for being transparent enough to present this information. Although initially alarming, it is nice to know that my security has prevented these logins from succeeding.
I also know (from times I’ve been on holiday abroad) that if any attempts do get past the initial password stage, my 2FA blocks them and I also get a notification about a login from a new location, and it is always reassuring to use this as a test for security. Security that isn’t tested is theatre at best.
Microsoft also sends a notification about new logins to my backup email address, just in case an attacker deletes the original from my main inbox.
If you own a Microsoft account and want to review these settings, you can do so at this link: https://account.live.com/Activity. If you don’t trust the hyperlink (fair enough) you can get to it from clicking on your profile icon in a logged in Microsoft page > Account Settings > Security > Review my activity. While you’re there, have a flick through the rest of the settings, particularly the privacy settings, which might reveal a lot more than you would hope.
If anyone else knows of services that offer similar notifications or details hidden away, leave a comment so others can find it. Some digging around shows GitHub offers similar information.
I’ve treated credential stuffing as a very surface level here, if you want a more in depth write-up, OWASP have produced a very nice document published on GitHub as additional reading.
You made it to the end, hurrah! As a well-done reward for reading, here’s a relaxing picture of a field to aid in your mindfulness: