JS Business Solutions Blog
Credential Stuffing and How It Can Lead to a Data Breach
Right now, a lot of people have had a lot more time on their hands than they typically would, so many of them are spending a lot of time on the assorted streaming services to entertain themselves. Unfortunately, cybercriminals have taken note. In light of all this, it seems like an apt time to discuss a particular threat known as credential stuffing.
What is Credential Stuffing?
Credential stuffing is another means that cybercriminals can use to access your accounts. It also just so happens to be the exact reason that we recommend that you use a unique set of access credentials for each account you hold.
What is credential stuffing? Well, let’s say that Bob used a single password for all his online accounts—social media, online shopping, banking and finance, even his work password. However, unbeknownst to Bob, one of his social media accounts was made vulnerable in a data breach. As a result, any Tom, Dick, or Hacker who now has the spoils of that data breach can go and start plugging Bob’s username and password into other sites to see if they work.
This is credential stuffing, as the same credential pair are stuffed into different accounts to see if there is a match. Unfortunately, in Bob’s case, there will be… and the hacker will be able to then access his finances and work accounts.
The Current Situation
Not long ago, platform service provider Akamai compiled a report of data they had collected from 2018 and 2019 to present to the media industry. However, just before they were to release it, the COVID-19 pandemic reared its head and postponed their release. As a result, Akamai was able to collect more data to show how these trends were affected by the pandemic… and what an effect it was.
The prevalence of credential stuffing leapt up as the coronavirus spread. Upon review of the graphs that Akamai’s data was compiled into, the scale these graphs followed exploded. Graphs that once depicted a scale covering the tens of millions suddenly needed to be spaced out by the hundreds of millions. Amid Europe’s lockdown, an unnamed video media service was targeted by over 354 million malicious login attempts on March 26 alone. The whole of March saw over 6 billion such attempts in total.
There are also some telling insights about the scale of these attacks to be seen in the economics of cybercrime. At the start of Q1 2020, researchers observed prices for video media accounts ranging between one and five dollars, with bundled services netting cybercriminals anywhere from $10 to $45 a pop. By the end of the quarter, the sudden influx of available accounts caused these prices to take a nosedive.
Why This is Important
This should all serve as a very effective case study, describing why you don’t recycle your credentials across different accounts.
“Come on, why would anyone hack into my stuff?”
This thought has probably crossed your mind at some point, likely as you signed up for a new account with something. Sheesh, I’m not that important. Do I really need such a secure account, it isn’t like anyone cares enough to hack me, right?
Plus, there’s no denying that one password is easier to remember than however many we’re supposed to have.
This has resulted in many people recycling their access credentials across different platforms and services, which is why credential stuffing is as big of a problem as it is. Fine, it may not be such a huge deal that someone’s skimming off of your Hulu subscription… but, it is much different to have someone skimming off your bank account, isn’t it? If your work accounts were to be hijacked, that’s an even bigger can of worms that you don’t want opened.
So, what can be done?
The first thing that you need to do is to review all of your accounts and ensure that they each have a unique and secure password. Here at JS Business Solutions, our recommendation is that your passwords comply to certain requirements to make sure they are effective:
- Lots of characters
- A diverse mix of letters, numbers, and symbols
- No personally identifiable details (like your pet’s name, hobbies, etc.)
A passphrase is another option to consider. A passphrase takes multiple random words and strings them together. So, instead of something easily guessable, like “password”, you have something like “PortionHutHenConcreteThesis.”
This creates a very memorable, yet effectively impossible to crack, authentication code for you to use.
Of course, with the number of accounts that we all have today, all of these passwords/passphrases can be challenging to keep track of. That’s why we recommend the use of a password manager. With the help of a password manager, your passwords can be saved in an encrypted vault for your on-demand use.
At JS Business Solutions, we understand the importance of true data security, and can help your business accomplish more, more securely, with our IT services. Learn more about what we have to offer by calling our team at (781) 715-1900.