Understanding Credential Stuffing
Imagine your personal login details being swiped from one site, then used to break into your accounts elsewhere. Sounds intrusive, right?
So, if your account password has been breached, do you think you would know?
Some companies are good about reporting breaches and doing things to help their customers. Some….aren’t. Yahoo and Uber have two of the worst stories about the failure to report breaches promptly.
Yahoo is famous for being the target of a series of data breaches.
They have had major data breaches in 2013, 2014, and 2016. In 2016, Verizon was negotiating a deal to buy Yahoo but had only learned of the 2014 breach two days before. The 2014 and 2016 breaches cost Yahoo’s owners $350 million in the sale.
Worse for users, Verizon revealed that Yahoo massively underestimated the impact of the 2013 breach. Yahoo previously stated that the breach affected 1 billion customers.
In September 2017 (four years after the breach), Verizon announced that the breach affected all 3 billion Yahoo accounts, a threefold increase. That means for four years, about 2 billion Yahoo accounts were breached and only the hackers knew about it.
Did you hear about the Uber breach when an attacker stole information about 20 million of Uber’s customers? If so, when did you hear about it? Right after it was discovered by Uber, right? Probably not. Uber discovered the breach in 2016 but didn’t reveal it until November 2017.
So, how did Uber handle the breach initially? They paid the hacker $100,000 to delete the stolen data (like that would happen) and keep the breach quiet. To conceal the payment, they claimed it was part of a bug bounty program where hackers are paid to identify and ethically report vulnerabilities.
The only reason that the breach was ever reported was that the former CEO was fired and the new CEO had some morals. Were there other Uber breaches that went unreported? Who knows?
So, maybe you don’t know if your personal information was revealed in a breach that was never reported. However, even if you were never the target of a breach, that doesn’t mean that a hacker can’t get into your account. If you have poor password security, there are several ways that an attacker can target you.
Past data breaches are great for hackers. Historical breaches provide them with a list of the most common passwords in use as well as combinations of usernames and passwords to try.
So what is the first thing that a hacker does with a data breach? Tries using this information to get into other common websites.
Many people have awful password security. They’ll use the same password for their email address, bank account, and that random website that they signed up for once and then forgot about.
Their email provider and the bank may have good security, but that other website? Maybe not so much. If that site gets breached, the first thing any hacker will do is try that email/password combo on other sites.
This means that they have access to your bank account (bad) and the email account that all of your password reset requests go to (really bad). Oops.
Even if you don’t reuse passwords, maybe you use a common one. Password breaches are a goldmine of common passwords that attackers can collect into lists for use in dictionary attacks. And if your password is on that list? Well, it may last a minute against a hacker (if you’re lucky).
Password reuse can be bad for you even if you never use a password that is revealed in a data breach. Ever gotten a phishing email? Ever fallen for a phishing email?
If an attacker can trick you into giving away your username and password in a phishing email, they’ll do the same thing that they’d do if they learned it in a data breach: try it on all of the most common accounts. And if you’ve reused your Amazon password for your email or bank account…
One of the cool and scary things that hackers can do to give themselves an edge at guessing your password is demographic analysis.
Say you’re a millennial. You probably grew up watching Harry Potter, Star Wars, Lord of the Rings, Star Trek, etc. Maybe you’re a huge fan and decided to base one of your passwords on one of them.
A hacker who can learn your age (easy) may target you with a special dictionary attack using words from one of these. While using a word in Elvish or Klingon may have seemed like a good idea at the time, it could end up costing you.
Sometimes, like if you were a victim of the Yahoo or Uber breaches, you can do everything right but still, be breached and have no reason to think that your account is compromised.
However, in many cases, attackers take advantage of negligence to breach accounts. With a few simple steps, you can dramatically decrease the chances that a hacker can get into your account.
Using strong, unique passwords for every account is an essential part of strong password security. Passwords should be randomly generated and use capital and lowercase letters, numbers, and special characters.
If remembering a unique password for every account is too much work, try a password manager. It can remember, autofill, and generate strong passwords for you for every site. Just be sure to create a strong password for your password manager and memorize or securely store it.
CM IP Expo Interviews Last Pass from The Cybermaniacs on Vimeo.
With GDPR in effect, organizations with customers in the EU now have to comply with more stringent requirements on breach reporting. While many big breaches are reported in the news, it’s a good idea to check periodically to see if you were a victim of a less publicized breach.
Troy Hunt runs a great service at haveibeenpwned.com where you can type in your email address and see if it’s been involved in any breaches. He even offers a service where you can be notified if future breaches leak your information.
If you’ve been the victim of the breach, immediately change your password on that site (and any others where you used the same one).
A stolen password is of little use to an attacker if they don’t do anything with it. And taking advantage of a stolen password usually leaves signs.
If something seems wrong with one of your online accounts (like login attempts that weren’t you or unusual transaction activity), change your password immediately. Worst case, you’ve minorly inconvenienced yourself. Best case, you’ve just ruined a hacker’s day.
Imagine your personal login details being swiped from one site, then used to break into your accounts elsewhere. Sounds intrusive, right?
2 min read
Last year, there were over 1.1 million cases of identity theft in the United States alone. At least 422 million individuals were impacted. Hackers...
4 min read
if you look at your tax documents, you may notice it contains all sorts of useful information. about you. If you look at your tax documents, you may...
5 min read