Blackfish is an artificial intelligence system to identify passwords stolen from data breaches that have not yet been discovered or disclosed, and whose data is not on the dark web.
More than 3.3 billion credentials were reported stolen last year. The problem is so severe that NIST issued guidelines recommending that companies examine stolen password breach corpuses in order to ensure that their users were not using those passwords. In response, many companies have started engaging in dark web research in order to acquire stolen passwords and protect their users against them. Unfortunately, it can be months or years after a breach before stolen credentials are posted on the dark web, and a great deal of stolen data never shows up there at all. So darknet-sourced lists of stolen passwords are just not very valuable in protecting accounts against sophisticated attackers.
Shape Blackfish Overview (PDF / Datasheet)
Instead of relying on stolen credentials to someday appear on the dark web, Blackfish identifies freshly stolen credentials by observing where sophisticated cybercriminals use them. Blackfish builds on Shape’s machine learning platform which autonomously detects credential stuffing attacks. As one of the largest processors of login traffic in the world, Shape protects the logins to the most valuable accounts that cybercriminals target with credential stuffing attacks, including the top banks, airlines, and retailers. Blackfish AI sensors are able to identify the usernames and passwords that are used in those attacks and then invalidate those credentials across our customer network.
The security of the Blackfish system itself was our most important design consideration. Blackfish’s patent-pending architecture incorporates multiple layers of encryption and access control, but the most important security feature is the ability to compare usernames and passwords against a list of known compromised credentials without ever storing the usernames and passwords themselves. This is accomplished with Bloom filters, a probabilistic data structure that allows Blackfish to perform lookups without ever maintaining a table of passwords.
Blackfish is currently offered as a service for both web and mobile login applications. To connect with a Blackfish solution expert, please use the form below or call +1-650-399-0400:
“The economy of the Internet as a whole is suffering so that we can learn which passwords have been stolen. Because Blackfish can see all automated log-ins in real time, [it] can capture compromised usernames and passwords,” Sarah Squire says, “instead of buying them.”
“Credential stuffing only works because many users still use the same login details on multiple sites. This is a serious security risk that's only getting worse as the volume of data breaches rises.”
“Today, the company released Blackfish, a product that could help blunt the impact of stolen password caches from massive breaches like Yahoo (the mother of all breaches), Adobe and Home Depot to name but a few examples.”
“Shape Security today launched Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”
“GUEST: Shuman Ghosemajumder Chief Technology Officer Shape Security Discussing the launch of Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”
2017 CREDENTIAL SPILL REPORT DOWNLOAD