In the last couple of years, cybersecurity shifted from a barely discussed niche topic to one of the major technological and political problems. On one side, IT companies all across the world signal the growing need for cybersecurity experts. Meanwhile, politicians can no longer deny the importance of cyber warfare, data mining, and foreign rivals’ espionage.
In several short years, cybercrime proved to be an illegal yet efficient way to profit, which attracted too many people. Furthermore, there’s been a significant increase in cyberattacks during the quarantine. ZDNet reported a surge in covid-19 related email scams, ransomware attacks, and infectious files with “zoom” name on them.
However, outside of political and technological background, the usual victim is the end-user. In this article, we’d like to overview one particular hacking method that causes direct financial damage to the consumer. It doesn’t matter whether you use Windows, Linux, macOS – you can still fall victim to Credential Stuffing cyber attack.
Unless you’re using a good Windows, macOS, or Linux password manager – so we’ll drop some advice on how to use them for Credential Stuffing protection at the end. Let’s dive in.
The importance of strong passwords
First of all, let’s put down some context. Digital passwords may be nearly as old as the Internet itself, but they were important for a small number of people. Mostly for businesses. This is because two decades ago, there wasn’t a lot to do on the Internet. First online money transactions and commercial software were just making their way to the broader public, so there wasn’t that big of a need for online security.
Things changed radically around the new millennium. Computer technologies kept developing rapidly (which hasn’t slowed down even a tiny bit), online shopping became more popular, and with the emergence of smartphones, we could use the Internet wherever we go.
Smartphones illuminate the difference in how we use the Internet very well. Back in the days, an average Internet user had only a few applications on a computer, maybe a few accounts in some online forums, and mIRC was the predominant online communication platform. Only a few of these services were hidden behind a password.
Statistics reveal that right now, an average smartphone user has over 80 Apps installed on their device, and most of them rely on a password for identification and account protection.
And that’s why strong passwords are so important these days: there are way more services that hackers can attack and exploit for profits. For example, stealing a person’s online book forums login would be useless, but if you get your hands on Netflix or Spotify accounts, you can sell them in online black markets.
Spotify recently had suffered two major Credential Stuffing attacks. First, in December of 2020, cybersecurity specialists discovered a database containing 380 million records, out of which 300k-350k were proved to be Spotify accounts. Then, several months later, it was hit by a second Credential Stuffing attack, this time affecting 100,000 accounts.
Overall, Credential Stuffing targets various services like Netflix, Steam, Disney+ and expands into the financial sector as well looking for more profits. So let’s take a look at how it works.
What is a Credential Stuffing attack?
First Credential Stuffing attacks date back to 2014 when researchers noticed hackers on the dark web trying to monetize compromised account information. Ever since then, they become both cheaper and more common.
The truth is, Credential Stuffing attacks can be extremely easy to execute, and they attract people with little knowledge in hacking but a thirst for easy profits. So that’s how they work:
- A vast amount of username-password combinations leak from an insecure online service revealing confidential user data;
- A cybercriminal obtains such a dataset on Dark Web;
- He or she then obtains additional software, which allows targeting a different service with received data. The process is automatized so that millions of username-password combinations can be tried as quickly as possible.
- If the same username-password combination is used, he or she can access the account and take it over.
- The account is sold on DarkNet for profits.
As you can see, the attack itself is straightforward, and most likely, selling stolen accounts without leaving a trace is harder.
Luckily, since it’s easy to execute, it’s easy to defend against. So next, we will provide you with a simple method to protect your accounts against credential stuffing attacks.
How password managers solve the issue
As you might’ve noticed, Credential Stuffing relies on reused passwords. For example, suppose your information is included in one data leak or another, and you used the same information (username/email and password) on a different service. In that case, the risk of losing your account is more significant.
Needless to say, remembering a different password for 80+ Apps on your smartphone is nearly impossible. Moreover, if you want to be really safe, your password should include upper and lower case letters, numbers, and symbols and should be at least 12 characters long – ideally 16 and more. Such passwords are hard to remember one by one, let alone remembering multiple of those.
For this reason, a lot of people make a common mistake – use easily guessable passwords like “qwerty”, “passwords123”, “namesurname123”, and alike.
Password managers are cybersecurity software that allows having multiple separate and strong passwords without putting additional effort to use them. They work by collecting all of your passwords and storing them in an encrypted vault. The technology is complex, but in layman’s terms, they encrypt the passwords so that only the original user can gain access to them.
And what advanced password managers like NordPass do – they alert if you’ve reused the same password more than once. You will be offered a new, solid password to replace it, and once you have changed all the passwords for your accounts into a unique one, you can relax because hackers don’t target a person with any security software 99.99% of the time.
We’ve mentioned popular services like Netflix and Spotify, but imagine losing your Facebook account or an Instagram account with thousands of followers – the damages can be devastating.
Luckily, there are tons of password managers to choose from. Just be sure to read reviews because picking cybersecurity software is an important decision best done with care.