“97% of the world’s largest 1,000 organizations had their credentials exposed in 2016,” reports Digital Shadows, a Delaware-based company that monitors digital risks to organizations, including cyber threats, data leakage, and reputational risks. The technique used to sniff the credentials is called credential stuffing.
“Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts,” defines OWASP Foundation.
The notorious hackers use credential stuffing software like Account Hitman or Sentry Hitman to automatically enter spilled credentials (usernames and passwords) into websites. Categorized as a ‘brute force method’ of account takeover, credential stuffing is mostly fueled by large-scale credential breaches which are then published as lists, such as Anti-Public Combo List, or uploaded for sale on the dark web as in case of Zomato, a restaurant app that was hacked resulting in 17M users’ data being stolen.
Recent Incidents of Data Breaches & Credential Lists
“There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing,” wrote Troy Hunt, an online security expert and the creator of breach notification site Have I Been Pawned. Credential lists, popularly known as ‘Combo Lists‘ are records of usernames and passwords that have been compromised. The records originate from hacked databases. A recent example is the Font sharing site DaFont that got hacked, exposing thousands of accounts, reports Zack Whittaker of ZDNet. “98 percent of the passwords were cracked, thanks to the site’s poor password security,” added Whittaker.
Another hacking incident involved 2.2M email addresses of Bell Canada being exposed this week.
— Have I been pwned? (@haveibeenpwned) May 16, 2017
— Have I been pwned? (@haveibeenpwned) April 30, 2017
How The Attack Takes Place?
The credential stuffing hackers usually buy the compromised data from credential and password dumping sites. The spilled usernames and passwords are sold in the form of packages. One such package can be bought for “$2,999 to obtain 3,825,302,948 credentials from 1,074 databases,” revealed The Digital Shadows.
Stolen credentials are tested using an account checker. Successful attempt results in hackers taking over the account (whether it’s a social media account) stealing users’ credit card information or carrying out other illegal activities.
Website Manager’s Responsibility
While it’s easy to blame end users for using dictionary words as passwords or reusing passwords on multiple accounts, there’s more to the story of hacked and compromised databases.
DaFont, whose 699,464 user accounts were stolen in a recent breach is a textbook case of poor password security by the site storing the user data. DaFont used deprecated algorithms to scramble user passwords. The database was so easy to hack that it was already being traded online before the reported breach. One might think that the site did not store any sensitive information (credit card, or other personal information) which is good. However, once DaFont’s database is dumped online, hackers can get to work by purchasing the list of DaFont’s compromised user accounts, and use it stuff credentials on other sites.
What to do about it?
Adopt safer passwords habits: First and foremost, avoid six-character lowercase dictionary words that are dead simple to crack even by the standards of an amateur hacker. Same goes for 12 character dictionary words. Create sophisticated passwords having numbers, lower and uppercase letters, special characters, and using space as a password character.
Avoid reusing passwords. All of us have been guilty of coming up with a good password and then reusing it across multiple websites. That’s an invitation to hackers to crack one of our accounts and get a few more as a bonus. No one can remember multiple passwords. Use password managers that allow sophisticated security measures.
The websites storing user credentials should adopt stringent password requirements. Web applications can also build firewalls capable of identifying credential stuffing. Another option is to disallow email address as username.
The Counter Argument
A recently published draft by National Institute of Standards and Technology’s (NIST’s) proposes some different measures. It highlights that periodic password change requirements and arbitrary password complexity requirements are counterproductive when it comes to online security and privacy. Ryan Francis of CSO sums up NIST’s new recommendations as follows:
- Screen new passwords against lists of commonly used or compromised passwords
- Allow the full ASCII and Unicode key spaces within passwords
Whether you register at Have I Been Pawned to constantly check if your credentials have been compromised ever, or you adopt measures such as not reusing passwords across multiple sites, using a password manager, and having stronger passwords, it is important to be vigilant about your online security and privacy of your data. Not every other website is worth giving your email and other data. Use Antivirus and Anti-Malware software and adopt the proposed baseline measures.