Credential Stuffing

I know that you must get quite tired of hearing about your password. We tell you to keep it strong, use multi-factor authentication, blah blah blah…

We often hear the same kinds of responses back, but it is just my email… I have nothing of interest in there. Yes, we know… and we sympathize. In the end we are just trying to help you. I have had other posts about the significance of strong passwords, I have talked about password lockers/services.

Lets talk about a different direction. Credential stuffing. Now, I am going to admit that the phrase was one that I had seen, but never looked into. As you can imagine, in my role, I encounter a ton of new terms and phrases and often do not have to time to keep up on them all. I will try to do a better job of selecting one and sharing it with you so that you can get nuggets of skills along the way with me.

When we have talked about passwords in the past, I have mentioned that when companies have their networks get breached and data is stolen, sometimes that data is our personal data, but sometimes it is our username and passwords.

Since we on the whole (myself included but I am getting it fixed) are horrible for password reuse, this makes credential stuffing a danger.

So Mr. Blackhat gets their hands on a data dump, they then build a spreadsheet with your email address(es) and the password(s) that you have been known to use. Since the majority of the United States banks at one of a few national banks, they start testing to see if they can log in. if they can… great!

Fortunately banks are getting smarter and are pushing us all to more secure login methods. If you bank is behind the times, AND you use one password all over the internet, you may well become a victim.

I wish I could tell you how many times I have seen “my [social media account] got hacked”. They were probably not hacked at all. they likely either fell for a credential harvester scan, or… were reusing their social media account password on other services that were compromised.

This brings us back to the common pleas of the cybersecurity professionals. Please, PLEASE, use strong and unique passwords and when you are able to, enable multi-factor logins. Yes, it is that important, unless you feel that donating your funds to who knows what country is a suitable form of charity work, one that you cannot even deduct form your taxes.