20.500.12556/RUL-169933 Beyond the leak analyzing the real-world exploitation of stolen credentials using honeypots This study presents one of the most extensive analyses of the lifecycle of leaked authentication credentials to date, bridging the gap between database breaches and real-world cyberattacks. We analyze over 27 billion leaked credentials—nearly 4 billion unique—using a sophisticated data filtering and normalization pipeline to handle breach inconsistencies. Following this analysis, we deploy a distributed sensor network of 39 honeypots running 14 unique services across 9 networks over a one-year-long experiment, capturing one of the most comprehensive authentication datasets in the literature. We analyze leaked credentials, SSH and Telnet session data, and HTTP authentication requests for their composition, characteristics, attack patterns, and occurrence. We comparatively assess whether credentials from leaks surface in real-world attacks. We observe a significant overlap of honeypot logins with common password wordlists (e.g., Nmap, John) and defaultlists (e.g., Piata, Mirai), and limited overlaps between leaked credentials, logins, and dictionaries. We examine generative algorithms (e.g., keywalk patterns, hashcat rules), finding they are widely used by users but not attackers—unless included in wordlists. Our analyses uncover unseen passwords and methods likely designed to detect honeypots, highlighting an adversarial arms race. Our findings offer critical insights into password reuse, mutation, and attacker strategies, with implications for authentication security, attack detection, and digital forensics. cyberattack analysis data breach honeypots leaked credentials service modeling username and password analysis analiza kibernetskih napadov odtekanje podatkov kibernetske vabe modeliranje storitev analiza uporabniških imen in gesel true false true Angleški jezik Slovenski jezik Članek v reviji 2025-06-19 09:46:55 2025-06-19 09:47:02 2025-06-20 04:16:38 0000-00-00 00:00:00 2025 0 0 44 str. issue 12, art. 3676 Vol. 25 Jun.-2 2025 0000-00-00 Zaloznikova Objavljeno apc 0000-00-00 0000-00-00 0000-00-00 007:004.056 1424-8220 10.3390/s25123676 239917315 sensors-25-03676.pdf sensors-25-03676.pdf 1 21E318DB6D06EF6F93EBE29B8FF4296A ce08ee55d9f04dfaa4d8e3587d92cdebc0b8ad115a231f832fc0ad49e9d82b94 24f1843e-4ce0-11f0-b232-0050569b8976 https://repozitorij.uni-lj.si/Dokument.php?lang=slv&id=211741 https://www.mdpi.com/1424-8220/25/12/3676 1 09f9008a-4ce0-11f0-b232-0050569b8976 https://repozitorij.uni-lj.si/Dokument.php?lang=slv&id=211740 Fakulteta za elektrotehniko 0 0 0