Blackfish

Blackfish, or orcas, have remained one of nature's apex predators by hunting in packs.
Join the Blackfish network as we track down and eliminate stolen credentials.

Problem: Your users recycle passwords

Solution: Blackfish

The average person uses the same password across four different accounts. So even if your organization hasn’t been breached, chances are many of your users’ credentials have been spilled elsewhere.

Now, instead of waiting for attackers to try those breached credentials on your login applications, you can proactively safeguard your users at risk of account takeover. Blackfish alerts your company in real-time if and when criminals actively use your customers’ or employees’ credentials elsewhere on the web.

Credentials spilled on the dark web are stale

Why are credentials on dark web marketplaces sold for mere pennies? Because criminals have already made plenty of money off of them. Criminals weaponize credentials first, and sell them last.

When criminals first steal brand new usernames and passwords, they use the credentials against the largest web and mobile apps in the world. It usually takes 6-12 months, or longer, for stolen credentials to end up on the dark web.

Blackfish learns when stolen credentials are first used

When a criminal commits a credential stuffing attack on any Shape customer, Blackfish captures the usernames and passwords that are being used and marks them as compromised. Blackfish then immediately alerts any customers for which those credentials are valid.

Shape sees over 30M credential stuffing attacks per day and protects over 100M real human logins per day. In other words, Blackfish knows which credentials have been stolen even before criminals begin trading them on the dark web.

Blackfish Solution Overview

A collective defense against criminal networks

An entire criminal ecosystem has emerged to enable information sharing and allow attackers to operate at scale. Now the security and fraud industry can fight back.

The world’s highest-value organizations, i.e., the world’s most-targeted organizations, are already part of the Shape network, so Blackfish has the power to identify criminals' very first attempts to weaponize credentials. The more organizations that use Blackfish, the sooner we can all cure the account takeover epidemic.

4 of the Top 10
US Banks
2 of the Top 10
US Retailers
2 of the Top 5
Global Hotels
3 of the Top 5
Global Airlines

Blackfish doesn’t store passwords

The security of the Blackfish system itself was the most important design consideration. Shape’s patented design uses a Bloom filter, enabling Blackfish to perform lookups of your user’s credentials without maintaining a database of compromised passwords.

Try Blackfish for Free

Eligible organizations are invited to try Blackfish and experience the power of a collective defense.

 

Blackfish in the News

Shape’s Blackfish could stop password thieves cold

November 8, 2017 / Seth Rosenblatt, The Parallax

“The economy of the Internet as a whole is suffering so that we can learn which passwords have been stolen. Because Blackfish can see all automated log-ins in real time, [it] can capture compromised usernames and passwords,” Sarah Squire says, “instead of buying them.”

Credential-stuffing defence tech aims to defuse password leaks

November 8, 2017 / John Leyden, The Register

“Credential stuffing only works because many users still use the same login details on multiple sites. This is a serious security risk that's only getting worse as the volume of data breaches rises.”

Shape Security introduces tool to blunt impact of stolen password caches

November 7, 2017 / Ron Miller, TechCrunch

“Today, the company released Blackfish, a product that could help blunt the impact of stolen password caches from massive breaches like Yahoo (the mother of all breaches), Adobe and Home Depot to name but a few examples.”

This 'pre-crime' AI bot network detects a hack before it's discovered

November 7, 2017 / Yahoo Finance

“Shape Security today launched Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”

Bloomberg Markets: Ghosemajumder on Protecting Apps

November 7, 2017 / Carol Massar and Cory Johnson, Bloomberg Podcast

“GUEST: Shuman Ghosemajumder Chief Technology Officer Shape Security Discussing the launch of Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”

 

2017 CREDENTIAL SPILL REPORT   DOWNLOAD