Credential Stuffing and Account Takeover
The purpose of this article
Our Information Security Awareness articles are designed to deliver security awareness ideas and stories. We’ll do our absolute best to provide our readers with practical and useful information, share tips and suggestions, and keep you updated on recent trends. All of the information we provide will help you when dealing with technology at all times.
Credential Stuffing and Account Takeover
What is credential stuffing?
Credential stuffing is a type of security and cyberattack where malicious users use sensitive information, such as passwords, stolen through previous data breaches to launch security and automated login requests to attempt accessing users’ accounts.
Scenario: You have registered yourself with Company XYZ and have been shopping for a couple of years. Then, a data breach occurs where your credentials (i.e. email address and password) were stolen. Attackers will then attempt to use the stolen Company XYZ credentials to authenticate on other platforms on your behalf.
Once authenticated, malicious users will then be able to steal other personal information such as home addresses, contact details, and “masked” credit card information among others.
Has your password been pwned?
A website called ‘HaveIBeenPwned.com’ (link) helps with answering this question for you. This website is a free online utility that collects and analyses hundreds of database dumps and pasted information containing data on billions of leaked accounts. Anyone can use this website to check if their personal data has been compromised by data breaches by searching for their own username or email address. Users can also choose to subscribe for notifications in the event that their email address appears in future dumps.
Let’s dig deeper into the scenario above where Company XYZ gets compromised and all of their sensitive customer data is leaked onto the Internet. In such an event, malicious actors would view the leaked data as extremely valuable information that could support and facilitate future cyberattacks and would, therefore, be among the first to download the database. Users who search their email address on the website or who have subscribed for notifications will be informed on the data leak, making them aware that their credentials have been compromised. Users may then take action to harden the security of their accounts (keep reading for a few recommendations). Without such knowledge, the victim would be uninformed, and any malicious user with knowledge of the credentials can continue to collect additional sensitive information.
This website is a valuable resource for Internet users that care about their own security and privacy. Once you’re done reading this article, we strongly suggest that you search for your own email address(es) and implement stronger security controls to protect your accounts.
Targeted industries
A study (link) by Akamai Technologies shows that malicious users launched 61 billion credential stuffing attacks during the 18 month period of January 2018 to July 2019.
Further statistics (link) also show that the gaming industry, among others, is one of the most targeted by malicious users. 12 billion credential stuffing attacks were targeting gaming websites. This amounts to around 19% of all attacks.
Other targeted industries include e-commerce; video streaming services, social media and entertainment; financial services; and healthcare organizations. HSBC (link), DailyMotion (link) and Citrix (link) all publicly disclosed that they were targeted by credential stuffing attacks.
What can you do to protect yourself?
Defending against credential stuffing and account takeover is fairly easy from a user’s point of view. As such, Betsson Group’s Information Security team would like to give you some easy tips:
- Enable Multi-Factor Authentication: Ensure that you enable 2FA whenever the platform provides the option.
- Flag unrecognized devices and new locations: Ensure that you always receive a notification whenever there is a successful login from unrecognized devices and/or new geographical locations.
- Use unique passwords for every website: Ensure that different passwords are used for every website. When you think about it, you probably don’t even know the number of online accounts you have!
- Use a strong password management system: Having a strong password management system will help you keep track of the different passwords you have. Most password management systems will also help you create strong passwords.
- Do not connect to public Wi-Fi networks: We can’t stress this enough! Public Wi-Fi does not encrypt the data being transmitted across the network. As such, malicious users may be able to intercept the clear-text messages being delivered, including usernames and passwords whenever you authenticate to a system.
’Tis the season to stay safe!
It’s beginning to look a lot like Christmas — and with the festive season comes various opportunities for cyber-scrooges to spoil all the fun! While users prepare for the festivities through some last-minute shopping, cybercriminals look for opportunities to scam shoppers using various exploits.
Betsson Group’s Information Security team would like to inform users to stay vigilant during this festive period. Always keep track of the online shopping orders you’ve made to help you identify phishing and/or spear-phishing attacks. Additionally, always hover over hyperlinks to verify the URL before clicking it!
We wish you a cyber-safe, and happy Christmas! :-)
