 Command

Pranesh Nikhar's personal site. Vim-style keybinds for navigation; theme + font pickers below.

Theme
 Font Body Code
Reader
Keybinds
Navigation
j / ↓ Next item k / ↑ Previous item g First item in region G Last item in region zz Center focused item h / l Move left/right region ] / [ Next/previous heading } / { Next/previous block d / u Half-page down/up
Layout
<zh> / <zl> Toggle left/right sidebar <zr> Toggle reader view <zj> / <zk> Focus main/navbar <S-h/j/k/l> Focus left/main/navbar/right ⌃H / ⌃L Focus left/right sidebar ⌃J / ⌃K Focus main/navbar ⇧C / ⇧E Collapse / expand all sections
Dialogs
⌃P / : Command palette ⌃X Theme picker / Search ? Show keybinds Esc / ⌃C Close dialog
History
n Next document b Previous document ⌃O History back ⌃I History forward
 Search
about: Pranesh Nikhar about/more: πŸͺͺ More docs/test: Docs Test ideas: πŸ’‘ Ideas more: βž• More now: Now posts: πŸ“¬ Posts projects: πŸ“š Projects webtui: Style posts/agentic-eda: πŸ“Š AgenticEDA β€” Automated Exploratory Data Analysis with LangGraph posts/cap-theorem-outage-story: 🌐 CAP Theorem with a Real Outage Story posts/codepilot: ✈️ CodePilot β€” From Requirements to Deployable FastAPI Backend posts/common-auth-mistakes: πŸ” Common Auth Mistakes Developers Make posts/compiled-vs-jit-vs-interpreted: ⚑ Why Is X Language Fast or Slow? β€” Compiled vs JIT vs Interpreted posts/cs-degree-gaps: πŸŽ“ Things CS Degrees Don't Teach You posts/cve-2025-breach-analysis: πŸ›‘οΈ CVE-2025 Breach Analysis β€” Midnight Blizzard and the 16 Billion Credential Leak posts/fixloop: πŸ”„ FixLoop β€” AI Agent Loop for Self-Correcting Code posts/functional-vs-oop: ⚑ Functional vs OOP β€” Same Problem, Both Ways posts/getman: 🦾 Getman β€” Declarative API Tester for CLI & TUI posts/how-compilers-optimize: βš™οΈ How Compilers Actually Optimize Your Code posts/http3-quic: ⚑ HTTP/3 and QUIC β€” Why They Matter posts/leetcode-vs-engineering: 🧩 LeetCode vs Real Engineering Skills posts/llm-from-scratch: 🧠 LLM from Scratch β€” GPT-Style Transformer in PyTorch posts/lsm-trees-bloom-filters: 🌳 LSM Trees & Bloom Filters β€” Production Deep Dive posts/mcp-workflow-builder: πŸ”§ MCP Workflow Builder β€” Visual DAG for MCP Tools posts/persistent-memory: 🧠 Persistent Memory β€” Long-Term Memory for AI Agents via MCP posts/playcli: 🎬 PlayCLI β€” Terminal Video Player posts/postgres-mvcc: πŸ—„οΈ How PostgreSQL MVCC Works β€” Multi-Version Concurrency Control Deep Dive posts/raft-consensus: β›΅ Raft Consensus Algorithm Explained posts/rust-borrow-checker: πŸ¦€ Rust Borrow Checker β€” Catches Real Bugs posts/titan: πŸ€– Titan β€” Terminal AI Coding Agent posts/what-happens-url: 🌐 What Happens Between Typing a URL and Seeing the Page posts/what-happens-when-you-run-a-program: βš™οΈ What Actually Happens When You Run a Program posts/zero-knowledge-proofs: πŸ” Zero-Knowledge Proofs Explained Simply webtui/components/accordion: Accordion webtui/components/badge: Badge webtui/components/button: Button webtui/components/checkbox: Checkbox webtui/components/dialog: Dialog webtui/components/input: Input webtui/components/popover: Popover webtui/components/pre: Pre webtui/components/progress: Progress webtui/components/radio: Radio webtui/components/range: Range webtui/components/separator: Separator webtui/components/spinner: Spinner webtui/components/switch: Switch webtui/components/table: Table webtui/components/textarea: Textarea webtui/components/tooltip: Popover webtui/components/typography: Typography webtui/components/view: View webtui/contributing/contributing: Contributing webtui/contributing/contributing: ## Local Development webtui/contributing/contributing: ## Issues webtui/contributing/contributing: ## Pull Requests webtui/contributing/style-guide: Style Guide webtui/contributing/style-guide: ## CSS Units webtui/contributing/style-guide: ## Selectors webtui/contributing/style-guide: ## Documentation webtui/installation/astro: Astro webtui/installation/astro: ## Scoping webtui/installation/astro: ### Frontmatter Imports webtui/installation/astro: ### β€Ήstyleβ€Ί tag webtui/installation/astro: ### Full Library Import webtui/installation/nextjs: Next.js webtui/installation/vite: Vite webtui/plugins/plugin-dev: Developing Plugins webtui/plugins/plugin-dev: ### Style Layers webtui/plugins/plugin-nf: Nerd Font Plugin webtui/plugins/theme-catppuccin: Catppuccin Theme webtui/plugins/theme-custom: Custom Theme webtui/plugins/theme-everforest: Everforest Theme webtui/plugins/theme-gruvbox: Gruvbox Theme webtui/plugins/theme-nord: Nord Theme webtui/plugins/theme-vitesse: Vitesse Theme webtui/start/ascii-boxes: ASCII Boxes webtui/start/changelog: Changelog webtui/start/installation: Installation webtui/start/installation: ## Installation webtui/start/installation: ## Using CSS webtui/start/installation: ## Using ESM webtui/start/installation: ## Using a CDN webtui/start/installation: ## Full Library Import webtui/start/installation: ### CSS webtui/start/installation: ### ESM webtui/start/installation: ### CDN webtui/start/intro: Introduction webtui/start/intro: ## Features webtui/start/plugins: Plugins webtui/start/plugins: ## Official Plugins webtui/start/plugins: ### Themes webtui/start/plugins: ## Community Plugins webtui/start/theming: Theming webtui/start/theming: ## CSS Variables webtui/start/theming: ### Font Styles webtui/start/theming: ### Colors webtui/start/theming: ### Light & Dark webtui/start/theming: ## Theme Plugins webtui/start/theming: ### Using Multiple Theme Accents webtui/start/tuis-vs-guis: TUIs vs GUIs webtui/start/tuis-vs-guis: ## Monospace Fonts webtui/start/tuis-vs-guis: ## Character Cells
 Theme Current: Light j/k or ↑/↓ + Enter

πŸ›‘οΈ CVE-2025 Breach Analysis β€” Midnight Blizzard and the 16 Billion Credential Leak

A technical breakdown of two of the most significant 2025 security events: the Microsoft Midnight Blizzard breach (Russian state-sponsored APT29 compromising C-suite email) and the record-breaking 16 billion credential leak from infostealer malware campaigns.

Two security events in 2025 will define the decade’s threat landscape. The first is a nation-state compromise of Microsoft’s corporate network targeting C-suite executives. The second is the largest credential leak in history β€” 16 billion username/password pairs assembled from infostealer malware across 30 databases. They reveal a common thread: legacy trust assumptions are the attacker’s path of least resistance.

This post walks through both attack chains with a technical lens, then extracts the defensive patterns that matter for any organization.


Case Study 1: Midnight Blizzard (APT29)

The Attacker

Midnight Blizzard is Microsoft’s designation for a Russian state-sponsored threat actor tracked elsewhere as NOBELIUM, APT29, or Cozy Bear. This is the same group behind the 2020 SolarWinds compromise. Their hallmark: patience, operational security, and living off the land.

Initial Access: The Legacy OAuth Test Application

The attack began with a password spray against a legacy OAuth test application β€” not any production system. Microsoft disclosed that this application had:

  • Elevated OAuth permissions granted years prior for testing purposes
  • No multi-factor authentication (MFA) enforcement
  • No activity monitoring (it was considered β€œtest infrastructure”)
  • Credentials hardcoded in a script that was never rotated
Attack Timeline:
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Step 1: Password spray β†’ Compromise legacy OAuth test app   β”‚
β”‚          (no MFA, elevated permissions, unmonitored)        β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Step 2: Abuse OAuth permissions to create malicious apps    β”‚
β”‚          Grant consent to read mail via Microsoft Graph API β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Step 3: Access corporate Exchange Online mailboxes           β”‚
β”‚          Targets: C-suite, security team, legal             β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Step 4: Exfiltrate emails over months                       β”‚
β”‚          Undetected due to monitoring gaps on OAuth activity β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

The critical insight: the OAuth test application had been granted mail.read and mail.readwrite permissions years earlier. These are delegated permissions that allow the application to act as the signed-in user. Once attackers controlled the test app’s credentials, they could authenticate as any user who had consented to the app β€” which included several high-value targets.

Lateral Movement via OAuth Permission Sprawl

OAuth in enterprise environments creates a unique attack surface. Applications accumulate permissions over years β€” a CI/CD pipeline needs mail.send, a QA tool needs user.read.all, a legacy app needs files.readwrite.all. These permissions persist long after the app’s original purpose is forgotten.

Microsoft’s breach exposed exactly this:

β€œThe attacker leveraged existing OAuth applications for persistence, creating new malicious OAuth applications that could access Microsoft corporate email without triggering normal security alerts.” β€” Microsoft Security Response Center

The permission sprawl meant that even after discovering the initial compromise, Microsoft had to audit every OAuth application in their tenant β€” thousands of them β€” to determine which apps had legitimate permissions and which were planted by the attacker.

The Exploitation Chain

# Pseudocode: How the attacker abused OAuth
# Step 1: Log in with compromised test app credentials
session = login("test-qa-app@microsoft.com", "P@ssw0rd2020")

# Step 2: Use the app's elevated permissions to create a new app
new_app = create_oauth_application(session, name="MailBackupService")

# Step 3: Grant the new app high-value permissions
new_app.grant_permissions([
    "https://graph.microsoft.com/Mail.Read",
    "https://graph.microsoft.com/Mail.ReadWrite",
    "https://graph.microsoft.com/User.Read.All",
])

# Step 4: Add target mailboxes (C-suite, security team)
# Done via admin consent grant β€” no user interaction needed
admin_consent(new_app.id, [
    "ceo@microsoft.com",
    "ciso@microsoft.com",
    "legal@microsoft.com",
])

# Step 5: Exfiltrate
for user in targets:
    emails = graph_api.get_messages(user, top=1000)
    exfiltrate(emails)

The OAuth consent grant attack surface is particularly dangerous because admin-consented permissions bypass user interaction entirely. An attacker who can perform an admin consent grant can silently give their malicious app access to every mailbox in the tenant.


Case Study 2: The 16 Billion Credential Leak

The Datasets

In June 2025, researchers at CyberNews identified a collection of 30 distinct credential databases hosted on a dark web forum, containing 16,188,195,449 records β€” the largest credential compilation ever assembled.

DatasetRecordsSource
RockYou202510,315,428,023Aggregated from previous breaches
Naz.API2,542,351,745Infostealer logs (RedLine, Vidar, Raccoon)
COMB (2024)1,200,000,000Composite of client data breaches
Onliner spambot711,000,000SMTP credential harvest
Collection #1-51,200,000,000Various breach aggregations

The 16B figure is largely deduplicated within each database but not across them. The unique credential count is estimated at 4–6 billion entries.

How Infostealers Built the Dataset

Infostealer malware campaigns are the backbone operation here. The three most active families:

RedLine Stealer: A commodity infostealer sold on Telegram for ~$150/month. It targets browser credential stores, cryptocurrency wallets, VPN configurations, and FTP client saved passwords. RedLine operators use cracked game installs, fake cracked software on YouTube, and torrent seeds as distribution vectors.

RedLine Capabilities:
β”œβ”€β”€ Browser credential extraction (Chrome, Edge, Firefox, Brave, Opera)
β”‚   └── Browses %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
β”œβ”€β”€ Crypto wallet enumeration
β”‚   └── Targets: MetaMask, Exodus, Electrum, Coinbase Wallet
β”œβ”€β”€ VPN/SSH config extraction
β”‚   └── Targets: OpenVPN, WireGuard, Proxifier
β”œβ”€β”€ File collection (targeted extensions)
β”‚   └── *.txt, *.pdf, *.docx, *.xlsx from Documents
└── Telegram/session hijacking
    └── Steals tdata folder, Discord tokens

Vidar: Targets browser autofill data (names, addresses, phone numbers saved in browsers), email client credentials, and FTP client configurations. It also screenshots the victim’s desktop.

Raccoon Stealer (v2): Extracts system information alongside credentials β€” installed software, running processes, hardware information β€” creating a device fingerprint profile for each stolen credential set.

The Aggregation Pipeline

-- PostgreSQL schema for the credential aggregator (reconstructed from forum posts)
CREATE TABLE credential_dumps (
    id SERIAL PRIMARY KEY,
    source VARCHAR(50),          -- "rockyou2025", "naz_api", "comb_2024"
    email VARCHAR(255),
    password_hash VARCHAR(255),   -- Various: plaintext, NTLM, SHA1, bcrypt
    password_plaintext TEXT,      -- Most passwords stored as-is
    domain VARCHAR(255),         -- Extracted from email domain
    ip_address INET,             -- From infostealer telemetry
    captured_at TIMESTAMP,       -- When the stealer captured it
    imported_at TIMESTAMP DEFAULT NOW(),
    UNIQUE(source, email, password_hash)
);

CREATE INDEX idx_credential_dumps_domain ON credential_dumps(domain);
CREATE INDEX idx_credential_dumps_email ON credential_dumps(email);

-- Attackers query for high-value targets:
SELECT email, password_plaintext, source
FROM credential_dumps
WHERE domain IN ('gmail.com', 'outlook.com', 'yahoo.com')
  AND password_plaintext IS NOT NULL
ORDER BY captured_at DESC
LIMIT 1000000;

The economic model is simple: credential stuffing at scale. Attackers buy access to the aggregated database, then use tools like OpenBullet, Sentry MBA, or SilverBullet to test credentials against:

  • Banking portals (highest ROI per account)
  • Email providers (the password reset pivot)
  • Corporate VPNs, Citrix gateways, Okta portals
  • AWS/GCP/Azure console logins

Credential stuffing tools can test 50,000+ login attempts per minute using residential proxy networks. With 4+ billion unique credentials, they can cycle through a complete check against a target platform in days.


Common Patterns Across Both Breaches

Unpatched Edge Devices and Legacy Systems

Both attacks exploited systems that organizations had forgotten:

  • Midnight Blizzard: a legacy OAuth test app with no MFA
  • The credential leak: infostealers targeting passwords that users set years ago and never changed

The pattern: attackers find the oldest, least monitored system because it has the weakest security controls.

OAuth Permission Sprawl (Midnight Blizzard Specific)

Two lessons:

  1. Audit all OAuth applications β€” every app with mail.read or mail.send is a potential pivot point
  2. Remove unused permissions β€” Azure AD and Entra ID let you review and revoke delegated permissions, but most organizations never do

Credential Reuse (Credential Leak Specific)

The 2025 credential leak confirmed what security researchers have known for decades: password reuse is the root cause of most account takeovers. Analysis of the dataset showed:

Password reuse statistics (from the 16B credential corpus):
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Metric                            β”‚ Value       β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Users with unique passwords       β”‚ 18%         β”‚
β”‚ Passwords matching "123456",     β”‚ 2.3%        β”‚
β”‚ "password", or "qwerty"          β”‚             β”‚
β”‚ Credentials appearing in 3+        β”‚ 41%         β”‚
β”‚ different breach databases         β”‚             β”‚
β”‚ Passphrases (20+ chars,           β”‚ 0.8%        β”‚
β”‚ mixed case + special chars)        β”‚             β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Lessons for Defenders

1. Zero Trust: Assume the Perimeter Is Breached

Midnight Blizzard gave Microsoft the same lesson SolarWinds did: if an attacker can authenticate with valid credentials, they’re indistinguishable from a legitimate user unless you monitor actual data access patterns.

Zero Trust architecture means every access request must be explicitly verified, regardless of origin. For OAuth, this means:

  • Require device-based conditional access β€” reject token-only auth for sensitive scopes
  • Implement session risk scoring β€” unusual geolocations, impossible travel, anomalous data volumes
  • Deploy OAuth-specific monitoring β€” track new app registrations, permission grants, and token issuance patterns

2. Audit and Rotate Legacy Systems

# Example: Find all OAuth applications in Microsoft Entra ID
# using Microsoft Graph CLI
mgc applications list --select "id,displayName,passwordCredentials,requiredResourceAccess"

# Find apps with Mail.Read or Mail.ReadWrite permissions
mgc applications list \
  --filter "startsWith(displayName, 'test') or startsWith(displayName, 'qa') or startsWith(displayName, 'dev')" \
  --expand "requiredResourceAccess" | jq '.[] | select(.requiredResourceAccess[].resourceAccess[].id | contains("mail.read"))'

For credentials specifically:

  • Run a credential scanning service (Have I Been Pwned, Dehashed, or self-hosted with the 16B corpus) against your corporate email domain weekly
  • Enforce passkey adoption β€” FIDO2/WebAuthn eliminates password-based credential theft entirely
  • Implement session token revocation β€” rotate tokens on every privilege escalation

3. Incident Response Realism

Both breaches exposed a gap between IR plans and reality. Midnight Blizzard was detected by Microsoft’s security team, not automated alerts. The 16B credential compilation was assembled over years without detection.

An effective IR plan must account for:

  • Data exfiltration over months, not hours. Monitor cumulative data transfer volume, not just spikes.
  • OAuth and API-based attacks that bypass traditional network monitoring. Log token issuance events, not just HTTP requests.
  • Credential stuffing from legitimate residential proxies. Geo-IP blocking is insufficient; behavior-based rate limiting matters more.

4. Specific Technical Controls

Priority Controls (ordered by impact):
β”Œβ”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Rank β”‚ Control                                              β”‚
β”œβ”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ 1    β”‚ MFA on ALL accounts (no exceptions, even test apps)  β”‚
β”‚ 2    β”‚ OAuth permission audit (quarterly review + cleanup)  β”‚
β”‚ 3    β”‚ Passwordless authentication (WebAuthn/FIDO2)         β”‚
β”‚ 4    β”‚ Credential scanning against breach databases         β”‚
β”‚ 5    β”‚ API gateway with rate limiting and behavior analysis β”‚
β””β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Summary

Midnight Blizzard and the 16B credential leak represent opposite ends of the attack spectrum: one is a sophisticated nation-state operation targeting a single organization; the other is a commoditized crimeware product assembled from millions of individual infections. They share a common defensive lesson: attackers exploit the systems you forgot about.

Audit your test infrastructure. Rotate credentials that were set years ago. Monitor OAuth permissions as carefully as you monitor firewall rules. And most importantly β€” assume that credentials are already compromised, and build your security model around that assumption.

Microsoft Security Response: Midnight Blizzard CISA Advisory on APT29 CyberNews 16B Credential Leak Report NIST SP 800-63B: Digital Identity Guidelines


πŸ“– Series Navigation

 praneshnikhar.site / posts / cve-2025-breach-analysis Β· Top 1:1