National Cybersecurity Awareness Month - Passwords and Credential Stuffing

Do you ever reuse the same username and password for multiple apps and websites? Although this may seem easy and convenient, the truth is that you may be at risk of a potential cyber threat called credential stuffing.

A study conducted by Google, showed that 65% of the 3,000 surveyed reused the same password on different accounts. This common practice can leave your accounts exposed to a potential attack. 

What is credential stuffing?

A cyber-attack that exploits the habit of people using the same login credentials for multiple sites by testing username / password pairs acquired from a breach of another site. Here’s how credential stuffing works:

• The attacker obtains usernames and passwords from a website or database breach
• The attacker uses a specialized account checker tool to test the stolen credentials against various services and applications (i.e. Instagram, Twitter, Facebook, Gmail, Hughes Federal Credit Union Online Banking, Netflix, etc.)
• After a successful login attempt, the attacker scrapes the stolen account for sensitive information like credit card numbers and other personally identifiable information

Many of your favorite companies and services have been targeted by credential stuffing in the past. Within hours of launching Disney+, many customers fell victim. Attackers were able to test massive volumes of previously stolen usernames and passwords on the Disney+ streaming site. Compromised Disney+ account credentials were then put up for sale on the dark web markets. Dunkin’ Donuts also experienced similar attacks. However, these attackers were not targeting personal information. They were after their loyalty program, reward points, store value cards and perks. Exercising their success (twice) by rudely using the victims account for free coffee and doughnuts.

What happens when attackers are after more than just your streaming account and coffee? What if they want access to your life savings, credit cards and investments?

Understanding the threat and protecting your account is key to ensuring you don’t become a victim. Here are some successful methods to prevent and secure your accounts from credential stuffing:

• Use multi-factor authentication (MFA) - MFA acts as an extra layer of security that authenticates the user trying to gain access to an account. This can be through a text message confirmation code, token code provided by an application, or a biometric identifier like a fingerprint. According to the National Institution of Standards and Technology (NIST), MFA will greatly reduce the likelihood of you having your credentials stolen. The more layers, the better!
• Practice good password hygiene - The key to creating a strong password requires a bit of creativity. Every password should be different from the last. While keeping a password length longer than 8 characters with a mixture of uppercase, numbers, and symbols. For example, instead of “ilovecheckingplus” use “!Lov3Ch3ck!ng-Plvz.”