2nd May, 2019

Credential Stuffing

Recently I received an email that had me more than a little concerned. At first glance it was just another spam email, poorly written and clearly spam, it was seeking a payment of US $1,368. I was about to hit delete when I noticed it had one of my password’s on it. Not just any password but my default, go-to password that I use for just about everything I do online. How did they get my password, does this mean they have access to all of my online accounts. Thoughts about worst case scenarios started going through my head. Was this some sort of identity fraud? I have heard of that happening to friends which had been a major inconvenience for them, needing to cancel bank and phone accounts.

I re-read the email a few times, it was poorly written and I felt it probably wasn’t legit as surely they would take a bit more time in writing their email if they were seriously going to hold me to ransom. I put the email aside with the intention of speaking to our IT support people to see if they thought I should be concerned about it.

A few days later I received an email talking about Credential Stuffing something that had been around for a while, but is on the rise and for some reason is a significant threat in Australia. Credential Stuffing is where a hacker obtains a user name and password then runs it through other sites to see if it works elsewhere. The site that the password is taken from may be harmless in that there is no personal or sensitive information available to anyone, but if the same password works in other sites such as Uber or PayPal or even an airline account then there is potential for the hacker to make significant gains.

Credential Stuffing has exploded in the past few years with security specialist Akamai recording nearly 30 billion Credential Stuffing attacks in 2018. Australia is among the most at-risk countries with over 100 million attacks in 2018. Businesses offering online services need to be particularly careful as it may be data from another site that is stolen and results in credential stuffing on your site. Earlier this year a taxation business in Australia was forced to notify all of its database of the attack despite the information been taken from another website. This resulted in trust issues with the business and a loss of income despite no wrong-doing on their behalf.

The best way to avoid credential stuffing is to not use the same password for multiple online accounts. Like me, most people use the same password on many, if not, most of their online accounts. This plays into the hands of the ‘credential stuffers’. Whilst it makes accessing online accounts slower the only way to avoid credential stuffing is to use random passwords and to change your passwords regularly. Software applications are available that securely generate and store passwords and can be accessed on all of your devices. Another option for accounts that you don’t access regularly is to not save a password at all. Simply request a new password or forgot password each time you access the account.

We all appreciate the benefits and efficiencies that the online world brings to our lives, but so do cyber hackers. The speed at which change is occurring makes it impossible to defend against all attacks, however taking simple precautions to how you manage your affairs online will go a long way in preventing you becoming a victim to the majority of threats.

Author: Murray Bruce