Headline writers love data breaches. As explained last month, they pit hackers versus security professionals in a good versus evil stand-off that makes for a great story. But there’s way more to the threat landscape than breaches. Increasingly we’re seeing a whole new category of follow-on attacks using the breached log-in records currently flooding the dark web in their millions.
Credential stuffing leads the pack, and IT leaders should be concerned. It’s estimated to cost US firms alone over $5bn annually and has already affected some big-name brands this year including Nest, Dunkin’ Donuts, Dailymotion and OkCupid.Credential stuffing attacks rely on password-only authentication and the fact that people share logins across multiple sites and accounts. Click To Tweet
Brutal account takeovers
Credential stuffing is a kind of brute-force attack which uses automated tools to try large volumes of stolen log-in data simultaneously across multiple sites until one works. It relies upon the fact that many organisations still allow customers and employees to use password-only log-ins, and the fact that these users have so many to manage that they resort to sharing credentials across multiple sites and accounts. One company estimates that the average employee today has to manage over 190 passwords.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.