Social-Engineer Newsletter Vol 06 – Issue 85


Vol 06 Issue 85
October 2016

In This Issue

  • Your Old Password Has Been Sold, So What?
  • Social-Engineer News
  • Upcoming classes


As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.

Check out the schedule of upcoming training on

2016 Schedule

If you want to ensure your spot on the list register now – Classes are filling up fast and early!

Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to to download now!

To contribute your ideas or writing send an email to

Special Thanks and Notices:

If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.

A Special Thanks to:

Ace Hackware for their support in very cool schwag and hacker tools

The EFF for supporting freedom of Speech

Check out Robin Dreeke’s amazing book called “Its Not All About Me” packed with the top 10 techniques to building rapport fast. It is an awesome book!

Thank you to our amazing sponsors of the SEVillage at DEF CON 24

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

Your Old Password Has Been Sold, So What?

Data breaches are a regular occurrence. When we hear reports about one that happened with a social media site, a company, or a product we use, we will quickly change our password to that account.

Reports like these: “Hacker Selling 65 Million Passwords from Tumblr Data Breach”, “Hacker Tries to Sell 427 Million Stolen MySpace Passwords”, “Hackers Selling 117 Million LinkedIn Passwords”, are all too common. So common that some might start to think, “Why should I care, those breaches happened years ago and I’ve already changed my passwords?” or “What use is there for my email address and an old password on the black market? Why should I be concerned if my old information reappears?”

Well, should you be concerned?

First let’s look at what happens after a breach. The hacker will take the stolen data, use it for their own purpose, and then either offer it to others in online black markets for money or post it online for all to see freely. Once sold the buyer will use the stolen data for various nefarious means.

What would they use it for?

When it comes to passwords, watch your online accounts because the attacker might try your stolen password on other sites you use. They’ll check to see if you used the same password on those sites or they might even try it on the same site that was breached, to see if you’ve changed your password.

In addition, the stolen passwords can be added to a hacker’s rainbow table to aid them in their efforts to attack other sites or network system’s password databases. For those that are unfamiliar with what “Rainbow Tables” are, TechTarget ( defines it as “a listing of all possible plaintext permutations of encrypted passwords specific to a given hash algorithm.” In simpler terms, they are vast databases that serve as a digital key for cracking encrypted passwords.

For an email address, watch your inbox. You might get an increase in spam or be targeted with spear phish. You probably will be hearing from relatives that need you to wire them money right away or you might even meet a Nigerian Prince.

When the information is stolen from healthcare providers such as names, birth dates, social security or government IDs and policy numbers, the criminals use these to buy equipment or drugs which they later resell or even to get procedures done. In addition, identity theft is a very lucrative business for the criminal.

Now you’re probably wondering what can be done, how can we protect ourselves?

Some simple measures that we can do to protect ourselves is to not reuse passwords at all. (I know it’s easier to remember passwords if you reuse them, but it’s really not a good practice) When you receive an email from the service you use, asking you to change your password, don’t ignore it, go to the site and change it. NEVER click the link in the email. If the bad guy has your password and they get into your account, whatever information that is in your account they will use in their future attacks.

If you’re going to take anything away from this, it should be this: don’t use the same password on multiple sites and never click a link in the email to reset your password, always go to the website and reset it there. That way if there is a breach and your old password and email is being passed around the black market you won’t be a victim again and you can go back to not worrying about those headlines about information being sold from past breaches.

Stay Secure
Written By: Mike Hadnagy


As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com




Leave A Reply