An artificial intelligence system to identify compromised credentials

What is Blackfish?

NYSE talks with Shape CTO Shuman Ghosemajumder about Blackfish and Credential Stuffing.

Blackfish is an artificial intelligence system to identify passwords stolen from data breaches that have not yet been discovered or disclosed, and whose data is not on the dark web.

More than 3.3 billion credentials were reported stolen last year. The problem is so severe that NIST issued guidelines recommending that companies examine stolen password breach corpuses in order to ensure that their users were not using those passwords. In response, many companies have started engaging in dark web research in order to acquire stolen passwords and protect their users against them. Unfortunately, it can be months or years after a breach before stolen credentials are posted on the dark web, and a great deal of stolen data never shows up there at all. So darknet-sourced lists of stolen passwords are just not very valuable in protecting accounts against sophisticated attackers.

Shape Blackfish Overview (PDF / Datasheet)


What Makes Blackfish Unique?

Instead of relying on stolen credentials to someday appear on the dark web, Blackfish identifies freshly stolen credentials by observing where sophisticated cybercriminals use them. Blackfish builds on Shape’s machine learning platform which autonomously detects credential stuffing attacks. As one of the largest processors of login traffic in the world, Shape protects the logins to the most valuable accounts that cybercriminals target with credential stuffing attacks, including the top banks, airlines, and retailers. Blackfish AI sensors are able to identify the usernames and passwords that are used in those attacks and then invalidate those credentials across our customer network.


Shape Architecture


How Does Blackfish Operate Securely?

The security of the Blackfish system itself was our most important design consideration. Blackfish’s patent-pending architecture incorporates multiple layers of encryption and access control, but the most important security feature is the ability to compare usernames and passwords against a list of known compromised credentials without ever storing the usernames and passwords themselves. This is accomplished with Bloom filters, a probabilistic data structure that allows Blackfish to perform lookups without ever maintaining a table of passwords.

How to Try Blackfish

Blackfish is currently offered as a service for both web and mobile login applications. To connect with a Blackfish solution expert, please use the form below or call +1-650-399-0400:


Blackfish in the News


Shape’s Blackfish could stop password thieves cold

November 8, 2017 / Seth Rosenblatt, The Parallax

“The economy of the Internet as a whole is suffering so that we can learn which passwords have been stolen. Because Blackfish can see all automated log-ins in real time, [it] can capture compromised usernames and passwords,” Sarah Squire says, “instead of buying them.”

Credential-stuffing defence tech aims to defuse password leaks

November 8, 2017 / John Leyden, The Register

“Credential stuffing only works because many users still use the same login details on multiple sites. This is a serious security risk that's only getting worse as the volume of data breaches rises.”

Shape Security introduces tool to blunt impact of stolen password caches

November 7, 2017 / Ron Miller, TechCrunch

“Today, the company released Blackfish, a product that could help blunt the impact of stolen password caches from massive breaches like Yahoo (the mother of all breaches), Adobe and Home Depot to name but a few examples.”

This 'pre-crime' AI bot network detects a hack before it's discovered

November 7, 2017 / Yahoo Finance

“Shape Security today launched Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”

Bloomberg Markets: Ghosemajumder on Protecting Apps

November 7, 2017 / Carol Massar and Cory Johnson, Bloomberg Podcast

“GUEST: Shuman Ghosemajumder Chief Technology Officer Shape Security Discussing the launch of Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”