Another week, another victim. In this case, the OP had 2 two accounts that were not linked together hacked at the same time. How can this be? The answer is "credential stuffing". I asked hackers how the process works, and to my surprise, they told me.
A significant percentage of the population re-use the same log-in information on multiple online services. So after one service gets hacked (e.g. Yahoo) and the data appears on the dark web, unscrupulous individuals begin sorting through the information looking for paired accounts. This endeavour is aided greatly by the popularity of a computer program [that shall not be identified]. The program reads the plain data and begins to make automated log-in attempts across a range of services, switching IP address after every failed log-in attempt in order to avoid detection. After a period of time has passed the program will have identified active accounts that the user can either share with others for free or monetize for personal gain.
Step 1: The hacker obtains the latest email/password dump
Step 2: With config file and proxy list in hand, the hacker feeds the information into [censored program]
Step 3: Wake up in the morning.... success! A fresh batch of Netflix, Spotify, PayPal and PSN accounts
Microsoft attempt to get ahead of cyber criminals and defuse the latest password dumps before the information can be monetized. Their security team created an automated system to sort through third-party data. The program looks for matching account emails in their system and, when discovered, it sends password resets to each user, forcing them to pick a new password distinct from the last. They explain this process on their blog:
It's not perfect because it's impossible to keep up with the staggering number of breaches and Xbox Live accounts still get hacked -- just at a less frequent rate. Sony have also increased the rate at which they force password resets, but it's not clear if this is entirely random or in response to specific threats.
I have reported many pastes to Sony in recent months. Some lists had 300+ active PSN accounts up for grabs. In every case, the account information matched an existing entry in haveibeenpwned.com or hacked-emails.com. You can read about my findings here. It's even possible to observe a correlation between the fresh security breaches and pastes. People will often deny that they used the same email and password on other services, perhaps out of embarrassment, but the evidence shows that the number of people who do is considerable.
tl;dr A significant number of people re-use the same log-in credentials across multiple online services, and the technical know-how for identifying them is getting better. When your data is leaked from one website, every other site with the same password is vulnerable.
A significant percentage of the population re-use the same log-in information on multiple online services. So after one service gets hacked (e.g. Yahoo) and the data appears on the dark web, unscrupulous individuals begin sorting through the information looking for paired accounts. This endeavour is aided greatly by the popularity of a computer program [that shall not be identified]. The program reads the plain data and begins to make automated log-in attempts across a range of services, switching IP address after every failed log-in attempt in order to avoid detection. After a period of time has passed the program will have identified active accounts that the user can either share with others for free or monetize for personal gain.
Step 1: The hacker obtains the latest email/password dump
Step 2: With config file and proxy list in hand, the hacker feeds the information into [censored program]
Step 3: Wake up in the morning.... success! A fresh batch of Netflix, Spotify, PayPal and PSN accounts
![4ydlBxz.png](https://i.imgur.com/4ydlBxz.png)
Microsoft attempt to get ahead of cyber criminals and defuse the latest password dumps before the information can be monetized. Their security team created an automated system to sort through third-party data. The program looks for matching account emails in their system and, when discovered, it sends password resets to each user, forcing them to pick a new password distinct from the last. They explain this process on their blog:
As a lot of you know, a number of articles were published last week about a Russian hacker offering 272.3 million stolen usernames and passwords... When we discover a new list of usernames and passwords, we run them through an automated system that checks to see if any of the credentials match those in our MSA or Azure AD systems... For this particular list, 9.62% of the usernames matched an account in our systems [and] 1.03% had a matching password... Once weve identified the subset of accounts that are vulnerable, our automated mitigations kick in to protect them.
It's not perfect because it's impossible to keep up with the staggering number of breaches and Xbox Live accounts still get hacked -- just at a less frequent rate. Sony have also increased the rate at which they force password resets, but it's not clear if this is entirely random or in response to specific threats.
I have reported many pastes to Sony in recent months. Some lists had 300+ active PSN accounts up for grabs. In every case, the account information matched an existing entry in haveibeenpwned.com or hacked-emails.com. You can read about my findings here. It's even possible to observe a correlation between the fresh security breaches and pastes. People will often deny that they used the same email and password on other services, perhaps out of embarrassment, but the evidence shows that the number of people who do is considerable.
tl;dr A significant number of people re-use the same log-in credentials across multiple online services, and the technical know-how for identifying them is getting better. When your data is leaked from one website, every other site with the same password is vulnerable.