What happens to our usernames and passwords after they’ve been stolen? To answer that question, researchers at Bitglass created a fake digital identity for the employee of a fictitious bank. They went as far as to create a fake website for the bank and a Google Drive account containing personal and business documents for the user. The documents in the Google Drive account contained additional personal and business information including credit card numbers. All of the documents and accounts were monitored so that all unlawful attempts to access them could be tracked. Then they released this “hacked” Google Drive username and password to the dark web, portions of the internet which require specific software or authorization to access, typically the Tor browser.

Within 30 days of the credentials having been leaked, over 1400 people had viewed them and 1 in 10 had attempted to log into the user’s bank account on the decoy bank site. The researchers note that “The hackers tried everything from changing the fake user’s passwords, using third-party software to crawl through his Google Drive account, and downloaded everything from fake documents containing sensitive information to those containing lunch menus.” Editor's note: we consider the lunch menu to be sensitive information as well, food allergies and all. 

To imitate a real life hacking or phishing attack, the fake bank employee was a little bit lazy and used the password from his Google account on myriad other social media websites. As noted in the report, “Once hackers successfully accessed the employee’s Google Drive using the leaked credentials, we discovered that most attempted to use those same credentials elsewhere.” More than one third of those who logged into the fake user’s Google Drive account using the leaked credentials successfully accessed the victim’s personal banking and social media accounts. 

The study seemingly turns the tables on hackers who invade user privacy by tracking their movements. It’s not surprising that those who used the leaked credentials to access the fake victim’s Google Drive account targeted credit card data and bank customer information, as well as anything else pertaining to sensitive financial matters. Though no transactions were conducted on the real credit card numbers in the days following the leak, the credit card numbers will likely be used or sold in the near future. Visitors to the fake bank site came from over 30 different countries across six continents, though 68% of them masked their location using the Tor browser.