A staggering 1.1 million accounts were hacked in credential-stuffing attacks, according to the New York State AG.
Credential-Stuffing Attacks Aiming High
A New York State investigation revealed that cybercriminals hit 17 major companies with credential-stuffing attacks, in which more than 1.1 million accounts were compromised.
This type of attack uses automated scripts to try massive volumes of credential combinations against online accounts in an attempt to crack them and take them over. Perpetrators can then use the accounts for various malicious reasons – to infiltrate deeper into the the compromised system, to steal money, or to impersonate the victim in further attacks on their contacts.
These attacks are often successful because employees usually neglect basic password security rules that could save you from all the trouble of a breach. They reuse passwords or use ridiculously common ones, such as “12345” or their birthday.
And they’re anything but cheap: The Ponemon Institute’s Cost of Credential Stuffing report discovered that companies lose an average of $6 million a year to credential-stuffing attacks.
“With over 8.4 billion passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point and easy attack vector for cybercriminals to target various online sites that utilize accounts for their customers,” said James McQuiggan, security awareness advocate at KnowBe4, via email. “These types of attacks give access to personal information about the user, their tax information and of course, their Social Security numbers for them and possibly their immediate family. Additionally, cybercriminals recognize that many organizations or users will not implement additional security measures and use the same password across various website accounts.”
The OAG (Office of the AG) conducted a months-long investigation of activity in cybercrime forums dedicated to credential stuffing to determine the extent of the issue.
“The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps,” according to a Wednesday media statement.
The 17 targeted organizations are “well-known online retailers, restaurant chains and food delivery services,” the office wrote.
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said New York Attorney General Letitia James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”
Users should also be cautious of follow-on attacks, experts added.
“Like many people today, I have a neighborhood-watch application which alerts me to things happening in my community,” said Ron Bradley, vice president of Shared Assessments, via email. “Oftentimes people will post videos of threat actors checking the locks on cars and home doors…this perimeter ‘doorknob’ testing is similar to the recent announcement by the New York OAG. The fact is, there are billions of compromised credentials easily available on the internet. Threat actors will constantly use these resources in an attempt to breach digital assets.”
Tips To Avoid Credential-Stuffing Attacks
“In this case, the importance of identity and access management (IAM) cannot be overstated. Organizations absolutely must enforce multiple layers of protection, especially when it comes to accessing sensitive data. The equation to combat this issue is straight forward,” said Bradley.
He recommended the applying the following security practices:
- Strong passwords are good, but passphrases are better
- Privileged access should always be accompanied with multifactor authentication
- Throttle internet-facing applications to prevent brute-force login attempts
- Detection and response mechanisms must be deployed and validated regularly
“These are just a few of the fundamental controls needed to protect your data,” Bradley concluded. “It’s important to remember your digital asset boundary is like squeezing a balloon. You can tighten one side, but the other side expands. The challenge is finding that middle ground. When third parties are involved, the task becomes increasingly difficult as you must ensure they are following no less than the controls you’ve specified.”
Do your employees take their work-related passwords seriously? You can test them today and find out how will your company manage in case of a phishing attack! Our Free Cybersecurity Awareness Training is a great opportunity to shed some light on the seriousness with which your employees regard password security.