The Case of the Credential Stuffer
Password Reuse
Renowned researcher Troy Hunt revealed a large list of hacked data code-named ‘Collection#1’. It contained the most comprehensive list of organised hacked data to date. A staggering 700 million email addresses and in excess of 20 million passwords.
This raises an interesting question about what people actually do with all those credentials. The short answer is that they try to use them to break into people's accounts on other, unrelated websites. They work on the principle that many users will use the same password for multiple online accounts.
As human beings, we like to keep things simple; we tend to reuse passwords in an effort to save time. We are all guilty of this at some time or another, and opportunistic cyber criminals know this because that’s their job.
Consequently, when data breaches give them access to large volumes of user data, these opportunists are going to try and break into as many accounts as they possibly can by re-using the same credentials. This brings us onto 'credential stuffing'.
Credential Stuffing
Credential stuffing is the automatic injection of breached username/password pairs to gain unsanctioned access to user accounts. This is a subsection of the 'brute force attack': large numbers of leaked credentials are automatically entered into websites until they are potentially matched to an existing account. At that point, the hacker can then take it over as their own.
The ultimate success of this approach depends entirely on the fact that people reuse their credentials across multiple platforms and services. A victim's data might have ended up on this list because he or she subscribed to a blog some years ago and got lazy when setting the password. He/she might have little or no memory of doing it, but the risk remains. If that blog was subsequently breached and the victim used the same credentials anywhere else, they could have major problems.
If you think, “that’s never going to happen to me,” you could easily be wrong! There's a good chance it already has.
James Smith, director at AMP Information Systems says: “The increase in credential stuffing attacks calls for the adoption of a password manager such as ‘LastPass’. You can generate a secure and different password for each and every website, so it really is the ‘LastPass” you will ever need.” Password managers are a hundred times more secure than reusing a few passwords across all your sites and apps."