Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Happens When Google Doc Credentials Are Leaked On the Dark Web? (csoonline.com)

Posted by timothy on from the nothin'-good dept.

itwbennett writes: It only takes one day of online credentials being available on the Dark Web before login attempts will start, according to security company Bitglass, which set up a simulation using fake credentials for a Google Drive account, complete with real credit card details, fake corporate data and personal data, according to Bitglass' report. Bitglass said there were three attempted logins to Google Drive in the first day and five attempted logins to the fake bank site. Within two days, files were downloaded from the Google Drive account.

27 comments

  1. Your point? by jason777 · · Score: 3, Informative

    So? Then dont leak personal details. Why wouldnt you expect people to try it?

    1. Re:Your point? by Cryacin · · Score: 1

      But, it's the DARK WEBS man. That always strikes fear into the hearts of the uninitiated.

      --
      Science advances one funeral at a time- Max Planck
    2. Re:Your point? by Anonymous Coward · · Score: 0

      So? Then dont leak personal details. Why wouldnt you expect people to try it?

      No no no no, it's pretty clear that the point is Don't leak GOOGLE DOCS credentials on the Dark Web... 'cause you know... people may want to check it out.

    3. Re:Your point? by malditaenvidia · · Score: 1

      Imagine having a website on the internet that is NOT listed by search engines by means of an arcane file called robots.txt! Too damn spooky.

  2. Bored Teenager Finds Car Keys. Goes For Drive. by zenlessyank · · Score: 1

    So you are saying that folks that are criminals who specialize in ID fraud will use an ID that isn't their for nefarious deeds? I guess you will tell us soon that blind people don't need lights in their house or paralyzed folks don't climb mountains.

  3. the same thing that happens with all Google info by turkeydance · · Score: 1

    and MS and Facebook and

  4. Scareware! by s.petry · · Score: 1

    The Bitglass article want's a sign up, no thanks. The CSO article will have to suffice.

    They gave credentials away, then make it sound like 3-5 attempts to login or see something was a big deal, with exposed credentials.

    The tracking document is interesting, but outside of that no big deal. I'd have to see what they were able to track to have more than passing interest. I would probably be disappointed though, which is why details were not present for that bit.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Scareware! by Anonymous Coward · · Score: 0

      Want is? Want was? Something belongs to the want? Why did you use an apostrophe for wants, but not thanks? Or credentials?

    2. Re:Scareware! by SQLGuru · · Score: 1

      They want you to sign up because they need more credentials to leak on the DARK NET.

  5. Are you seriously suggesting by Maritz · · Score: 2

    That if you post your login and password to Google Drive on the dark web/Tor hidden services, people will try to login to your shit? I don't fucking believe it.

    --
    I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  6. Re: the same thing that happens with all Google in by Anonymous Coward · · Score: 0

    Microsoft makes it unpleasant even for legitimate users who have a new laptop or go on vacation and try to login from there. Every time I have them email me a code to my gmail address which never asks questions

  7. I don't get the siginificance by gatfirls · · Score: 4, Interesting

    It seems to me like a local news story where they leave a bike to be stolen in an area that is known for it and acting like it's news that people...try to steal the bike.

    Seems like it would be more interesting if they made some sort of honeypot with something they would want like a CC list or something that has a good password and see if/when people get in without social engineering etc.

  8. The real news here by Lab+Rat+Jason · · Score: 1

    ... is that _only_ 5-6 people tried to access it... basically you created a honey pot that teased out the script kiddies, while the professionals saw it and thought "no way this is legit."

    --
    Which has more power: the hammer, or the anvil?
    1. Re:The real news here by Anonymous Coward · · Score: 0

      The professionals probably assumed the account would have 2-factor turned on so that the credentials are not very useful. You'd need to get access to the person's phone / authenticator application in order to make use of an ID / password. People with just ID / password access to Google Drive, OneDrive, iCloud, etc. shouldn't have anything important on them.

  9. HOLY CRAP! by Lumpy · · Score: 1

    So using the dark web as my storage place for personal things like logins is not a good idea? WHY DID NOBODY TELL ME!

    Tomorrow on Slashdot, Experiments shows that humans can not breathe under water, and electrical outlets have electricity in them.

    --
    Do not look at laser with remaining good eye.
    1. Re:HOLY CRAP! by belthize · · Score: 1

      Technically the experiments only show that a subset of the population can't breath under water under some circumstances. I suspect more research is needed.

    2. Re:HOLY CRAP! by Trax3001BBS · · Score: 1

      So using the dark web as my storage place for personal things like logins is not a good idea? WHY DID NOBODY TELL ME!

      Not the Dark Web but a cloud which is no-brainer.

    3. Re:HOLY CRAP! by Anonymous Coward · · Score: 0

      So using the dark web as my storage place for personal things like logins is not a good idea?

      Well, yes. Why would you want that information listed by search engines? I think we're a bit confused about the "dark web" concept here.

  10. more interesting if & when owners were informe by sittingnut · · Score: 1

    what is the story here? there is no interesting story if finders use content of a purse with id, credit cards, and money, left unattended in a public place(esp in a unsavory place),
    much more interesting story would be if anyone informed the account owners about the information leak and when(similar to finders returning the purse unused)

  11. Tor or not? by Shadow+IT+Ninja · · Score: 1

    TFA says "...68 percent of those who accessed the Google Drive account used Tor. Still, that leaves more than a third who didn't take any protections to mask their real IP address..."

    So does this really mean that the other 32% didn't mask their IP address at all or did they use some other method besides Tor?

    1. Re:Tor or not? by tnk1 · · Score: 1

      The other third were kiddies, or they were taking other means than TOR to protect themselves.

      In fact, I'd almost be more worried about the people who didn't use TOR, because TOR itself is probably not trusted by the best people. You'll trace some of the non TOR logins back and find some grandmother who has had her PC thoroughly hacked and under the remote control of someone else using a "proprietary" channel.

  12. What Happens When Google Doc Credentials Are Leake by Mantrid42 · · Score: 1

    Exactly what you'd expect?

  13. Google already lets you protect yourself by Solandri · · Score: 2

    Just enable 2-factor authentication on your Gmail/Google account. (Note: I linked to Authy because I recommend it over Google Authenticator. Authy requires you to enter a passcode or password to view an authentication code. Authenticator will just spit out the authentication code if you're in possession of the account owner's device. Kinda defeats the purpose if you're trying to protect yourself if your phone should be stolen.)

  14. No need to log-in to BitGlas for Report by Trax3001BBS · · Score: 1

    BitGlass industry http://pages.bitglass.com/Proj...
    For full report which is a youtube video scroll down to resources http://www.bitglass.com/resour...

    1. Re:No need to log-in to BitGlas for Report by Trax3001BBS · · Score: 1

      BitGlass industry http://pages.bitglass.com/Proj...
      For full report which is a youtube video scroll down to resources http://www.bitglass.com/resour...

      Log-in anyhow? Share your account http://bugmenot.com/

  15. Downloaded with fake credentials? by Anonymous Coward · · Score: 0

    TFS says: using fake credentials for a Google Drive account ... Within two days, files were downloaded from the Google Drive account.

    Are they suggesting the account was hacked?

  16. unimpressive. by Anonymous Coward · · Score: 0

    very few early login attempts, and two days to start downloading files? i expected more out of hackers, this amount of laziness is simply unacceptable.

    not nearly the same as the good ol' days when you could hook up an unpatched 2000 or xp box directly to the internet and get pwn'd *in minutes*