Major Data Breaches & Credential Stuffing: What You Need To Know
As crafty and sophisticated as hackers’ use of technology has become, and as common as major breaches seem to be, the good news about credential stuffing is that we have the solution.
It seems that large commercial database breaches come along with disturbing regularity these days. However, both the frequency of these occurrences and the size of them, seem to have a tendency to make people feel less alarmed than perhaps they should. One of the things that’s difficult for individuals to imagine is how hackers can actually make use of the vast amount of name and password data they steal.
“Credential stuffing” is the technique that’s used to take vast amounts of leaked data and use it to gain entry to sites that can provide immediate financial rewards, or future leverage for blackmail or other techniques.
How Credential Stuffing Works
“The process begins with data, usually leaked from large, corporate breaches. But it’s important to note that there’s also a rapidly-growing secondary market for this data,” says PSafe’s Director of Cybersecurity at dfndr lab, Emilio Simoni. “Now there are even mega-collections — huge aggregations of breached data, that are being re-sold or offered for free downloads on dark web marketplaces. Some of these have hundreds of millions of password username combinations.”
To bypass web-site security protocols, hackers use tools designed to make attempts appear to be coming from a wide variety of different IP addresses, and simply storm as many commercial sites as they can (where credit card or bank account information, for example, might be stored. “They may be successful as few as 0.1% of attempts,” Simoni explains, “but when they’re working with hundreds of millions of identity assets, the math works out in their favor.”
Once the hackers have gained entry, they can take over the account and make use of it, either by using financial resources, or stealing more personal data to use in subsequent attacks.
How To Protect Yourself
As crafty and sophisticated as hackers’ use of technology has become, and as common as major breaches seem to be, the good news about credential stuffing is that it’s relatively easy to protect yourself from damage. “We recommend three fundamental steps to all of our customers,” says Simoni, “practice good password hygiene; use two factor authentication whenever possible, and protect yourself with a solid ID Theft prevention solution.”
Password Hygiene: Never use the same password for more than one site. You can use many free services to generate strong passwords for you, and make sure that your passwords are kept up to date on every site. This way, if a Social Site gets hacked, your password for your bank account isn’t in danger.
Two Factor Authentication: Most financial and major social sites now offer two-factor authentication (usually with an option to send a code via-text to your phone). Use these protocols whenever they’re available.
ID Theft Protection: “Having an early warning system for identity thefts and data breaches is a great way to stay ahead of hackers,” Simoni explains. “This is why our dfndr PRO product offers a feature that allows you to scan globally to see if your data has been breached, and lets you know where and when if it does discover a breach.”
With breaches occurring with increasing frequency, perhaps the way to stay ahead of the hacker-security cat-and-mouse game is to have a searchlight ability to know the status of your personal data at any time. With dfndr installed on your phone, you have one free ID Theft scan, so you can test it now if you like. dfndr security PRO also has other important safety features, like a Safe App Scanner to protect you from malicious (data stealing) apps, and Anti-Theft features that help you locate and control your mobile device if it gets lost or stolen.
In the meantime, make sure you have strong passwords, and different passwords on every site, and deploy two factor authentication wherever you can. At Psafe, we’ll continue to keep you apprised of the many ways hackers are trying to make your life miserable — and the best ways you can return the favor!