Not if, but when you get hacked, it’s easy to think cyber criminals used some high-tech program or code to gain access to your accounts. The truth is however, that data breaches aren’t always that sophisticated, and all that’s required is a little trial and error. The tactic is known as credential stuffing, and it’s becoming a common tool for cyber criminals of all over the world.
Credential stuffing attacks are carried out by using stolen usernames and passwords collected from previous data breaches across multiple platforms and websites. These attacks take advantage of the fact that many people use the same usernames and passwords for multiple accounts. For example, a hacker may have purchased your Google username and password from the dark web. Assuming that you use the same password for multiple accounts, the hacker would test these credentials on other platforms (e.g., banking, Netflix, social media websites, etc.). By using botnets (groups of computers tasked with various commands) cyber criminals are able to carryout these attacks at alarming speed and scale.
Credential stuffing can affect everyone, from individual users to the biggest companies. In fact, the recent CRA data breach that impacted approximately 14,500 users was largely carried out using credential stuffing (https://www.cbc.ca/news/politics/canada-revenue-agency-cra-cyberattack-1.5688163). Thankfully, because credential stuffing relies on victims having the same password for multiple accounts, there are some simple ways to protect yourself:
* Avoid using the same password for multiple accounts- It’s important to change your passwords often and never use the same password.
* Use two-factor authentication wherever possible-While complex passwords can deter cyber criminals, they can still be cracked. To prevent cyber criminals from gaining access to your accounts, two-factor authentication is key. Through this method, users must confirm their identity by providing extra information (e.g., a phone number or unique security code) when attempting to access corporate or personal applications, networks and servers. This additional login hurdle means that would-be cyber criminals won’t easily unlock an account, even if they have the password in hand.
* Create strong password policies-For employers, ongoing password management can help prevent attackers from compromising your organization’s password-protected information. You’ll want to create a password policy that requires employees to change their password on a regular basis, avoid using the same password for multiple accounts and use special characters. Long passphrases are becoming increasingly popular as well, and may be a good option for your organization.
* Provide security training-Even the most robust and expensive data protection solutions can be compromised should an employee click a malicious link or download fraudulent software. As such, it’s critical for organizations to thoroughly train personnel on common cyber threats and how to respond. Your employees should also know your cyber security policies and know how to report suspicious activity.
To learn more about cybersecurity risks, preventative measures, and Cyber Insurance, click here