Credential Stuffing: Capitalising On Your Employee’s Crappy Passwords
14 May 2018 00:00
From first names and DOBs right through to family pets, your company will no doubt have its fair share of terrible passwords. But, as cyber criminals take advantage of large-scale automated "credential stuffing" attacks, we're not the only ones laughing.
The risk of your password hygiene stinking
There’s no secret that most of us have a habit of creating crappy passwords. Even with the constant reminders of ensuring ‘password complexity’, it’s way too common for employees to change their “jacob89” password to “Jacob89!” - with the belief that, because this ticks the capital letter, special character and number boxes, it’ll do.
There’s also no secret that, as creatures of habit, we often recycle these passwords across a number of websites in order to feel the immediate convenience of no longer having to scrape the bottom of our brains when logging into numerous accounts.
But the (realistic) risk of just one of those websites being compromised can offer your business some very inconvenient repercussions. How? Two words: Credential stuffing.
How does credential stuffing work?
So, one of your employees has used their work email credentials for a third-party website… a website that, unfortunately for you, has just been compromised. This incredibly common situation is exactly why credential stuffing was crafted by cyber criminals.
In short, this relatively new type of attack uses stolen account credentials (including usernames, email addresses and passwords) to gain unauthorised access to user accounts through large-scale automated login requests against a targeted web application -- in the hope that a handful of these credentials will open doors.
Not only does that create the potential for staff members to have their bank accounts, retail accounts and other memberships compromised, it also leaves the door wide open to any business accounts that share these credentials.
But perhaps one of the most alarming parts of credential stuffing comes with the fact that these stolen credentials aren’t hard to find. Some are simply dumped on the internet, given away for free by cyber criminals who hack for fun, or by others looking to build a reputation.
Is credential stuffing really that effective?
Common sense would say that, as a concept, credential stuffing would surely work at least some of the time, right? Well, according to Shape Security’s 2017 “Credential Spill Report”, a database of 1 million stolen credentials could expect to compromise roughly 10,000 accounts on a targeted but uncompromised site.
Considering that 2016 saw 3.3 billion user credentials spill onto the internet, those figures can be pretty daunting.
Let’s take the ever-infamous Yahoo breaches of 2012 and 2013 as an example. A mind-boggling 1.5 billion credentials leaked onto the internet which, seeing as how the breaches weren’t reported until 2016, gave the cyber criminals up to four years to crack weak accounts.
So the sheer scale of the credential theft and also the prevalence of Yahoo users' accounts suggests that these stolen credentials would have been benefiting cybercriminals for over a few years.
How can your business fight this attack?
Step One | Locate the currently-exposed credentials
A good first place to start is undoubtedly with an email breach detection. Simply put, this is where an organisation checks a user’s credentials against a list of stolen credentials (often found on dump sites or paste sites), giving them an incredibly useful view on which employee email accounts are currently out there on the internet.
Take a look at how you can obtain an email breach detection report here.
Step Two | Avoid future compromised accounts with staff awareness
Password hygiene is always going to be a huge reason for whether or not credential stuffing works against your company. Employees need to be aware of the why password security is so vital these days and what they actually need to do to achieve strong login credentials.
Of course, that’s easier said than done. We recommend integrating your password policy into your security awareness programme. There are some great eLearn-based security awareness training platforms out there to choose from, which can ultimately give you a leg up on educating employees on password security.