Cyber Incident Victim: AdGuard Inc.

On September 20, 2018, AdGuard disclosed a credential stuffing attack targeting its user accounts. An unidentified attacker executed brute-force login attempts using email addresses and passwords previously exposed in breaches of unrelated companies. This method leveraged reused credentials to gain unauthorized access to AdGuard accounts, which stored ad-blocker configuration settings. The company confirmed attackers successfully compromised some accounts but could not determine the exact number or identities of affected users due to encryption measures protecting stored passwords. AdGuard’s detection of the attack prompted immediate action, though the specific timeline of the intrusion and its duration remained unspecified in public statements. The attackers’ objectives were unclear, as compromised accounts held minimal transactional value beyond personalized ad-filtering preferences.

In response, AdGuard initiated a full password reset for all user accounts as a precautionary measure, acknowledging the impossibility of verifying whether any exposed credentials matched those in its encrypted database. The company concurrently integrated the Have I Been Pwned API into its authentication system to screen new passwords against known breach datasets, alerting users during password creation if their chosen credentials appeared in public leaks. AdGuard also implemented stricter password complexity requirements and announced plans to introduce two-factor authentication, though no specific timeline was provided for this enhancement. These measures aimed to mitigate future credential-stuffing risks while addressing the immediate compromise. The incident underscored the operational challenge of defending against attacks exploiting recycled credentials from third-party breaches, particularly when attackers target systems storing non-financial but user-specific data.