The Full-Scale Assault of Credential Stuffing
Harder, better, faster, stronger
The threat of having your login-credentials compromised is a real and growing problem. Last year, a hack of the popular video-sharing website Dailymotion exposed 85.2 million unique email addresses. In 2013 and 2014, Yahoo was hacked and reportedly up to 1 billion accounts were compromised.
Approximately how many credentials does that leave out there on the dark web today? That’s difficult to pin down. Per a study conducted by Risk Based Security, in 2016 more than 4,000 data breaches resulted in over than 4 billion exposed records.
If a simple Google search is any indication, that number is going to grow in 2017 and years after.
Every social media website and several online news sites have fallen victim to breaches. If not, then hackers themselves claim the sites have been compromised.
This is part of the rise in credential stuffing attacks. It’s an emerging threat, a form of brute force cyber-attack. Credential stuffing seeks to get user login-credentials (such as a username and password) from one source to use against and compromise other platforms.
Credential Stuffing: A Growing Problem
Some years ago, during college, a friend of mine called on me for a favor. He gave me the password to his Gmail account so that I could access an important piece of information that he needed. This was before the days when everyone had a smartphone at their fingertips (and password managers).
This being years ago, and in college, I decided to play a small prank. I thought to myself: “if this is the password he uses for email, what are the odds he uses it for other things as well?” As it turns out, he did. Armed with that email address and password I was able to access his Facebook account.
It was an innocent prank. I changed his Facebook profile picture to something silly. I immediately told him what I was doing and we laughed about it. Presumably he changed his password later that day. No real harm done.
The above story is a rough example of how credential attacks began (and why they work). By getting login credentials for one site (Dailymotion or Yahoo, for example), hackers check the information against other sites (such as Facebook).The initial breach is cause enough for concern. But, the danger does not stop there.
Anywhere from half to upwards of 80% of people are using the same password on more than one online account.
This is the fuel by which credential stuffing attacks are powered. Criminals are banking on the notion that if you are using one set of login credentials for one site, there’s a good chance you’re using them for others.
To that end, the true danger in security breaches often extend beyond the initial crime. Having your Yahoo email credentials stolen is a gross invasion of privacy. Yet, it may be far worse if that same information can be used to access your PayPal or online credit card account.
The Scale Up
Credential attacks are nothing new, but technology has allowed these attacks to be scaled up using automation. Before, obtaining the stolen information meant that thousands, or hundreds of thousands of credentials needed to be manually entered into the target application in much the same way I did with my friend’s Facebook account years ago.
It could take hours, days, weeks, or even longer to find a matching credential. It was the digital equivalent of having a massive keyring and only one lock. Bots and now automated software have enabled the keys to be tested and without the need for manual input. Thus, attacks continue to rise (more to come on the tools they use next month).
Enterprise Systems At Risk
While there is no shortage of attempts to defraud individual customers to obtain stolen credentials; the origin of these attacks usually comes from a global organization whose information has been leaked or stolen.
Per a report published in January of this year by Shape Security, a California-based digital security firm; 9 out of 10 login attempts made to Fortune 500 companies in 2016 can be attributed to credential stuffing attacks. This means that on average, only 10% of all login attempts made to Amazon.com for example are from genuine customers.
How does this happen so often? The rate at which data systems are being breached is staggering. In fact, the record for the largest credential spill was met and reset three times last year. In all, over 3 billion stolen credentials were reported in 2016 alone.
Once information has been obtained, the data can be used by the perpetrator to launch credential stuffing attacks or sold on the dark web to the highest bidder. With automated software, rapid testing of millions of credentials can be completed in a fraction of the time it used to take.
For their part, many companies who experience these attacks aren’t even aware that it is occurring. Most of the brute force attack is not meant to breach their systems or to cause them harm. In fact, the attackers are using the login apparatus the way they are intended to be used, though on a mass, automated scale and with stolen credentials.
Fast Followers
Our next six weeks will focus on this emerging threat, recommended next steps and popular tools. We’ll look into the steps that businesses and consumers can take to safeguard their accounts.
Did you enjoy this post? Why not give it some ❤️ or a share? If you’re interesting in more of this, consider getting my monthly newsletter.
