Credential stuffing is a method that hackers use to infiltrate a company’s system by automated injection of breached username & password pairs. Attackers use credentials to bypass anti-spam and firewall devices and access users accounts. Once they were inside the company network, they can send phishing emails or compromise company systems/data. Note that attackers just need to gain access to only a few accounts, or just one admin account to compromise the system. According to OWASP report, these Attackers/hackers do money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.
Situation of Breached Credentials:
Usage of stolen credentials is reported as #1 reason in 2018 Verizon Data Breach Investigations Report with being the cause of 22% of all breaches in 2017. 6 out of 10 confirmed data breaches in 2016 leveraged weak or stolen passwords.
Simple Steps to Prevent Password Breaches:
- Use 2-Factor Authentication
- Change passwords at least in three months
- Create awareness among employees
- Ask employees to not use company credentials for their personal accounts (social media, online purchasing etc.). Research shows that nearly 75% of people are still using duplicate passwords across multiple systems
- To Use different passwords for different purposes like business, personal and banking
- Monitoring continuously of the cyber data leaks
We can see credential stuffing in OWASP – 2017 – Top 10 critical web application security risks report under the second most critical risk: Broken Authentication. According to OWASP – 2017 report, Attackers/hackers do money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.
Some High-Profile Breaches Caused:
LinkedIn Breach in 2012:
LinkedIn, the Social Networking Website was hacked in 2012 by Russian cyber criminals and they hacked around 65M user accounts & passwords. They posted the stolen credentials on a Russian forum, the next day after the LinkedIn was breached. Also in 2016, they found out that 100M email addresses and hashed passwords are claimed as an additional data along with breached credentials in 2012. LinkedIn was not sure whether the hackers were also able to steal email IDs associated with the compromised user accounts.
Adobe was hacked in October 2013, where the attackers had gotten access to IDs and encrypted passwords of 38 Million active users. After many weeks of research, adobe found out that the hacker had exposed customers IDs, Names, Passwords and Debit/Credit Card information.
Home Depot’s POS systems had been infected with Malware, which posed as Anti-Virus Software. Home Depot agreed to pay a minimum of 19.5 Million dollars to compensate. The settlement covered about 40M people, whose payment card data was stolen.
Breached Credentials cause a lot of damage every year to many companies. Continuous Monitoring is also required along with the above-mentioned preventive methods.