lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 1 Nov 2012 09:39:49 -0500
From: Grandma Eubanks <tborland1@...il.com>
To: ramo@...dvikings.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [OT] How much a million facebook passwords
 would cost?

You guys are discussing something different than the original question. The
original question asked for a million username/passwords, not a million
valid email addresses.

Let's say we get across the verification stage and we find these are valid
usernames/passwords at the time and there's no issues with logging in from
a different ip or someone found a way around that (mobile). What could we
do with a million valid logins?

We could check all of the users for duplicate passwords on other sites.
Most especially hoping for emails duplicates. Then attack accounts with
valid card credentials and no more verification than a password like Amazon.
We can crawl it for business accounts or business users we'd like to attack.
->Business accounts for attacking the company's name
->Individual users for attempting to bait them into a better spear phish by
abusing their friends
We could use it for massive profile spamming by having them post a link
somewhere.
We could use it for a drive-by campaign by using the same as above, but
linking to our own malicious site.
We can download their entire facebook lives at the click of a button
including private messages, private files, etc.
Popperazzi asses can use it to attempt to find celebrities and print out
their entire lives to the world. Private photo leaks and all that.
Or just drive-by campaign again using celebrity posts about female private
nude pictures available at, free music available at, free movie x available
at, etc.

In fact, a better way to sell it would be to find businesses or high rated
people so you can say dump includes:
x business with 2k friends
y celebrity with 10k friends
z musician with 3k friends

Instead of just a million individual regular users, that would get more
traction on the sales end. All in all, I think it would be best to sell it
in bulk or searchable deals. Have an interface search to see if a name is
available in the dump then offer individual prices. Or list out the
accounts with the most friends. $5 for a regular individual and then have
quantifiers for friends of celebirty, business, musician, etc. accounts.
$50 * k, where k is the thousands of followers. Then offer bulk rates at
10k regular individuals each for $300-$500. The more you do your own
research on what you have, the more profit you could make out of it.

On Wed, Oct 31, 2012 at 10:23 PM, <ramo@...dvikings.com> wrote:

> Not a whole lot it would seem...
>
>
> http://www.forbes.com/sites/andygreenberg/2012/10/25/facebook-investigating-how-bulgarian-man-bought-1-1-million-users-email-addresses-for-five-dollars/
>
> Ramo
>
> On Thu, Nov 01, 2012 at 12:37:13AM +0530, Memory Vandal wrote:
> > You buying or selling?
> >
> > MemoryVandal
> >
> >
> > On Wed, Oct 31, 2012 at 10:03 PM, Georgi Guninski <guninski@...inski.com>
> wrote:
> > > We are discussing this question:
> > >
> > > How much a million facebook passwords + lusernames would cost?
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJQketPAAoJEAXQWoW8lug/oDAH/Rr1qSGeYVPrXULOFcxCiSjV
> UperpZnrFlpBT4OOXQ0CfP45EUcnmTG6Nd5zcM2hLkvnd1mBWx4/PlYsKvqtqSnS
> nvA1j5IyQeyX7X6kXEoIayNbgHBwrXYuIB6YtQw0np1rmLbLlRQG9Xb98fBLHI/9
> WeP1uYvEM+4oPIJhh117BimzLGQ0nLymFyiqdXruzFiUHm9rlyTgKXxqij8sij/1
> fIO5T2R9OAnwMppy+Nx8bfZbh6M5N2UdF9NyQiuwNjydGsQMy5lfbaZUsupQc2hh
> UmRc18hEbe82diEoTkMMSfCt3S1fgmQMSaDocuXVJFcbUTsc85N2JJzbRAzBVKU=
> =RAq9
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ