Hundreds of thousands of millions of credentials have flooded the criminal underground, a precious commodity for hackers that could try to exploit them to hack into users’ account when the owner share the same username and password.
Of course, the activity is time-consuming, hackers need to test login credentials included in a data dump against various services available online.
Now this activity can be sped up by using Shard, a command-line tool that was developed to allow users to test if a password they use for one site is also used on other popular services, including Facebook, LinkedIn, Reddit, Twitter, or Instagram.
Below the list of available modules:
$ java -jar shard-1.3.jar -l Available modules: Facebook LinkedIn Reddit Twitter Instagram GitHub BitBucket Kijiji DigitalOcean Vimeo
The Shard receives a username and password as input then it will attempt to authenticate with multiple sites.
“I used that password as a general password for many services,” he wrote in an e-mail. “It was a pain to remember which sites it was shared and to change them all. I use a password manager now.” Philip O’Keefe, Shard creators, told to Arstechnica.
Obviously, a similar application is a powerful tool in the hackers’ hands. The code of the Shard tool is available on GitHub, it is likely crooks will adapt it to make it works with other services, including financial ones.
We know that the password reuse is a very common bad habit, in the best case users apply simple modifications to a base password to reuse it on several web services. A few modification to the code could allow the Shard to hack the account also in this last scenario.
Let’s think for example to the use of “mypassoword01” on a website and “mypassoword02” on a second website, in this case, a modified version of the tool could easily guess the login credentials.
Potentially the unique limitation of the tool is the number of attempts from a single IP, a limitation that could be easily bypassed if the attacker leverages on a botnet.
Users must adopt different credential for each web service, adopt strong passwords and enable two-factor authentication when available.
(Security Affairs –Shard, passwords)