Hackers use stronger passwords than the government, but they still got doxxed

Security expert and commentator Davey Winder delivers his take on the news that tens of thousands of hackers have themselves been hacked

Hudson Rock, a cybersecurity specialist based in Tel Aviv, has turned the irony meter to 11 with a newly published report that revealed how many hackers have themselves been hacked.

Using its cybercrime intelligence database, consisting of more than 14.5 million computers infected by information-stealing malware, it revealed that 120,000 of those users visited cybercrime forums.

Some 57,000 of the infected machines were linked to the notorious Nulled.to forum, which focuses on cracking and information leaks.

Real hackers or just curious?

The researchers were able to determine that devices were linked to hacker activity and their “real identities” courtesy of the amount of data that can be retrieved, oh the irony, by the information-stealing malware itself.

The report states that some of the indicators used were additional emails and usernames, as well as auto-fill data including names, addresses and phone numbers.

Not all of these would necessarily be cybercriminals. After all, security researchers and journalists use such forums (mea culpa) for threat intelligence gathering purposes. In a LinkedIn post, Hudson Rock founder Alon Gall confirmed there would likely be some false positives.

He then added: “But you have a very large amount of of small-time hackers who are registered to these cybercrime websites and do many types of blackhat activities, who happened to accidentally have their own computers compromised.”

How the hackers are hacked

Marisa Atkinson, a senior analyst with risk intelligence specialist Flashpoint, says that the prevalence of compromised Nulled users is due to the way they share leaked data, such as data dumps. “Often times, these freely shared links are either just malware, such as stealers, or are backdoored or maliciously modified versions of alleged cracked software.”

You’d hope that both security professionals and journalists would “eat their own dogfood” and be protected against such malware, but the fact that so many cybercriminals aren’t isn’t surprising.

“It is likely a symptom of the fact that through an underground products and services economy, many threat actors are now able to turn to cybercrime without great levels of expertise,” said Tim West, Head of Cyber Threat Intelligence at WithSecure.

“This is particularly true for budding cybercriminals who have not yet developed a full understanding or appreciation of operational security practice, or even have begun to fully operate in a criminal manner.”

One area of operational security practice that these cybercriminals do seem to understand is login credential strength. The Hudson Rock report reveals that, for the most part, “passwords from cybercrime forums are stronger than passwords used for government websites and exhibit fewer very weak passwords than industries like the military”.

What does doxxed mean?

For anyone wondering what I mean by doxxed in the headline, here’s what ChatGPT has to say: “Doxxed is a term that refers to the act of searching for and publishing private or identifying information about someone on the internet, typically with malicious intent. It is often done by hackers and criminals as a form of harassment against people that they don’t like.”

Related articles on cybersecurity

• LockBit ransomware: its history, its present and why you must be ready for it
• LockBit ransomware attackers target Japan’s biggest port: but who’s next?
• What is ransomware?
• Why Identity & Access Management (IAM) must be your primary security layer