The average person uses the same password across four different accounts. So even if your organization hasn’t been breached, chances are many of your users’ credentials have been spilled elsewhere.
Now, instead of waiting for attackers to try those breached credentials on your login applications, you can proactively safeguard your users at risk of account takeover. Blackfish alerts your company in real-time if and when criminals actively use your customers’ or employees’ credentials elsewhere on the web.
Why are credentials on dark web marketplaces sold for mere pennies? Because criminals have already made plenty of money off of them. Criminals weaponize credentials first, and sell them last.
When criminals first steal brand new usernames and passwords, they use the credentials against the largest web and mobile apps in the world. It usually takes 6-12 months, or longer, for stolen credentials to end up on the dark web.
When a criminal commits a credential stuffing attack on any Shape customer, Blackfish captures the usernames and passwords that are being used and marks them as compromised. Blackfish then immediately alerts any customers for which those credentials are valid.
Shape sees over 30M credential stuffing attacks per day and protects over 100M real human logins per day. In other words, Blackfish knows which credentials have been stolen even before criminals begin trading them on the dark web.
An entire criminal ecosystem has emerged to enable information sharing and allow attackers to operate at scale. Now the security and fraud industry can fight back.
The world’s highest-value organizations, i.e., the world’s most-targeted organizations, are already part of the Shape network, so Blackfish has the power to identify criminals' very first attempts to weaponize credentials. The more organizations that use Blackfish, the sooner we can all cure the account takeover epidemic.
The security of the Blackfish system itself was the most important design consideration. Shape’s patented design uses a Bloom filter, enabling Blackfish to perform lookups of your user’s credentials without maintaining a database of compromised passwords.
“The economy of the Internet as a whole is suffering so that we can learn which passwords have been stolen. Because Blackfish can see all automated log-ins in real time, [it] can capture compromised usernames and passwords,” Sarah Squire says, “instead of buying them.”
“Credential stuffing only works because many users still use the same login details on multiple sites. This is a serious security risk that's only getting worse as the volume of data breaches rises.”
“Today, the company released Blackfish, a product that could help blunt the impact of stolen password caches from massive breaches like Yahoo (the mother of all breaches), Adobe and Home Depot to name but a few examples.”
“Shape Security today launched Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”
“GUEST: Shuman Ghosemajumder Chief Technology Officer Shape Security Discussing the launch of Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”