Regularly, hackers steal data sets containing user identifiers and passwords. Often these data sets become publicly available. The most prominent and important leaks use bad password protection mechanisms, e.g. rely on unsalted password hashes, despite longtime known recommendations. The accumulation of leaked password data sets allows the research community to study the problems of password strength estimation, password breaking and to conduct usability and usage studies. The impact of these leaks in terms of privacy has not been studied. In this paper, we consider attackers trying to break the privacy of users,while not breaking a single password. We consider attacks revealing that distinct identifiers are in fact used by the same physical person. We evaluate large scale linkability attacks based on properties and relations between identifiers and password information. With these attacks, stronger passwords lead to better predictions. Using a leaked and publicly available data set containing 130106 encrypted passwords, we show that a privacy attacker is able to build a database containing the multiple identifiers of people, including their secret identifiers. We illustrate potential consequences by showing that a privacy attacker is capable of deanonymizing (potentially embarrassing) secret identifiers by intersecting several leaked password databases.
On the privacy impacts of publicly leaked password databases
On the privacy impacts of publicly leaked password databases
Related Content
Camcorder piracy refers to the process of using a camcorder to record a screen that displays copyrighted content. In contrast to the previous works that aimed at detecting the occurrence of camcorder piracy, this paper conducts an in-depth study of the luminance flicker that is naturally present in camcorded videos due to the interplay between a liquid-crystal-d…
We report a new neural backdoor attack, named Hibernated Backdoor, which is stealthy, aggressive and devastating. The backdoor is planted in a hibernated mode to avoid being detected. Once deployed and fine-tuned on end devices, the hibernated backdoor turns into the active state that can be exploited by the attacker. To the best of our knowledge, this is the fi…
"The geographic data and timestamps of subscribers held by mobile carriers have long been used by law enforcement and intelligence agencies to conduct legal investigations, largescale surveillance, or even unconstitutional search. Meanwhile, with the surge in popularity of Location-based Services (LBS) over the past decade, selling the geolocation information of…
Webinar /Jun 2024
Blog Post /May 2025