Finding Leaked Credentials

It's important to find leaked credentials. Easiest is to find it through an email address as this email tends to be static and unique across multiple different websites. Usernames aren't always unique are changeable and multiple people sometimes want to use the same username, but never the same email address.

FUN FACT

Did you know that 66% of the worlds population reuses the same passwords on multiple sites? If they do not reuse them, it's always a similar variant based off of heir old password. eg Summer2019 > Summer2020!

Where to begin?

• Begin by scouting out the application
• Note down all the emails and usernames you find on the application
• Good way to test if a username or an email address is registered on an application is through User Enumeration

Once I have the Emails and Users, what then?

Use for example Have I Been Pwned to sort the compromised to the non-compromised accounts. We are only interested in the compromised accounts! Do note that even if HIBP detects that there wasn't a breach, it could still have been breached.

Where and how do I search for leaked credentials?

There are multiple ways to find leaked credentials and many of which I probably do not know of. However, some of which may be

• Credential Scraping Databases - Such as:
  • Leak Check Payed (Lifetime)
  • SnusBase Payed (Lifetime)
  • DeHashed Payed (Monthly)
  • 0t.rocks - Free DEPRECATED
  • LeakPeek - Free
  • BreachDirectory - Free
  • IntelX - Free - Better Payed
• Data Dumping Data Bases or other data dumping websites
• Google Hacking/Dorking
• Data Base File Dumps from Forums - Like Nulled or RaidFurums. Links to these in Source

How do I find credentials with Google Hacking/Dorking?

Let's say you have found [email protected] and his credentials have been leaked in one way or another (eg. HIBP). You can try to search for the email address within the Pastebin website. A google dork could look similar to this:

"[email protected]" site:pastebin.com

There might be no hits, try to remove @work-mail.com within the quotes because the user might use a private email address with the same name. Maybe even remove the quotes as there may be variations of the targets name within his/hers private email address:

"SwaggyMcSwagger" site:pastebin.com

Remember to use CTRL + F to use the search function within a page as it's not fun searching through thousands of lines

Other sites that may contain Credentials

https://jsfiddle.net
https://codebeautify.org
https://codepen.io
https://pastebin.com

Change example to the target website. e.g google[.]com to find any organization email. Such as [email protected] which could be compromized!

site:http://jsfiddle.net "example[.]com"

site:http://codebeautify.org "example[.]com"

site:http://codepen.io "example[.]com"

site:http://pastebin.com "example[.]com"