Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credential Stuffing. Show all posts
multi signal correlation
Account Takeover attacks bot attacks Credential Stuffing Cyber Fraud Fraud Detection multi signal correlation

Why Single-Signal Fraud Detection Fails Against Modern Multi-Stage Cyber Attacks

 

A  Modern fraud operations resemble a coordinated relay, where multiple tools and actors manage different stages—from account creation to final cash-out. Focusing on just one indicator, such as IP address or email, leaves gaps that attackers can easily exploit by shifting tactics across the chain.

A typical fraud campaign begins with automation. Bots and scripts are deployed to create large volumes of accounts with minimal human effort, often rotating infrastructure to bypass rate limits and detection mechanisms.

These accounts are made to appear legitimate by using aged or compromised email addresses and leaked credentials, giving the impression of long-established users rather than newly created ones.

To further disguise activity, attackers rely on residential proxies, which route traffic through real consumer IP ranges. This makes malicious traffic look like it originates from everyday home users instead of suspicious data centers or VPN services.

Once accounts are established, attackers slow down operations and switch to human-like interactions to blend in with normal user behavior. At this stage, fraud progresses to account takeover and monetization, leveraging phishing links, malware, and credential stuffing techniques to gain access, alter account details, and execute high-value transactions.

Throughout this lifecycle, tools and methods are constantly swapped. An attacker might begin with a headless browser and proxy during signup, switch to a mobile emulator during login, and eventually transfer access to another party specializing in financial exploitation or promotional abuse. This constant evolution highlights why one-time, single-signal checks fail to provide a complete risk picture.

The Problem with Isolated Detection Signals

Relying heavily on a single signal—like IP reputation—often leads to false positives. Legitimate users on shared Wi-Fi networks, corporate VPNs, or mobile carrier networks may inherit poor reputations due to the actions of others, despite having no malicious intent.

Similarly, blocking based solely on email domains is ineffective, as both genuine users and attackers frequently use free email services.

Identity-based checks also have limitations. Static verification methods, such as matching names or documents, can be bypassed using synthetic identities created from fragments of real data.

Device-based detection can miss threats when fraudsters operate from seemingly normal but previously compromised devices. Even bot-detection tools fall short when attackers transition from automated attacks to manual logins using stolen credentials. In such cases, systems may incorrectly interpret malicious activity as legitimate human behavior.

The result is a flawed system where genuine users face unnecessary friction, while persistent attackers continue to evade detection.

A more effective approach to fraud prevention involves analyzing multiple signals together—such as IP data, device fingerprints, identity markers, and behavioral patterns—throughout the user journey.

For example, an IP address that appears only mildly suspicious on its own can become clearly malicious when linked to repeated account creation attempts from the same device fingerprint and similar usage behavior.

Likewise, a user with a clean email and normal device may still pose a risk if their login activity mirrors credential stuffing patterns or aligns with known malware campaigns.

Modern risk engines improve accuracy by evaluating hundreds or even thousands of data points simultaneously, rather than relying on rigid, single-factor rules. This unified approach enables organizations to assess each interaction in context, rather than as isolated events.

Case Study: Tackling Coordinated Signup Abuse

Consider a SaaS platform offering free trials and self-service onboarding. As the platform scales, it begins facing abuse from thousands of fake accounts used for data scraping, testing stolen payment methods, or reselling access.

Initial defenses—such as blocking suspicious IP ranges and disposable email domains—offer limited success and start affecting legitimate users, especially small teams and freelancers on shared networks.

By adopting a multi-signal strategy, the platform evaluates signups based on a combination of IP data, device fingerprints, identity indicators, and behavioral signals.

Accounts sharing the same device fingerprint, originating from automation-linked IPs, or displaying scripted behavior are grouped into coordinated abuse clusters rather than assessed individually.

This allows for targeted responses, such as applying additional verification only to high-risk groups or quietly restricting their capabilities, while genuine users experience minimal disruption.

Over time, continuous feedback from confirmed fraud and legitimate activity refines the system, reducing false positives and increasing the cost and complexity for attackers.

Staying Ahead of Evolving Fraud Tactics

Today’s attackers operate across multiple layers, combining bots, proxies, synthetic identities, stolen credentials, and malware infrastructure. As a result, defenses based on single signals are no longer sufficient.

To effectively combat modern fraud, organizations must adopt a unified approach that correlates IP, identity, device, and behavioral data into a single risk framework.

The next step for businesses is to operationalize this model—integrating it into existing systems and measuring its effectiveness in reducing fraud while maintaining a seamless user experience.
Read more »
third party access
CAPTCHA Credential Stuffing Cyber Security MFA Online Retailers Passwords third party access

How Retailers Should Harden Accounts Before the Holiday Rush




Retailers rely heavily on the year-end shopping season, but it also happens to be the period when online threats rise faster than most organizations can respond. During the rush, digital systems handle far more traffic than usual, and internal teams operate under tighter timelines. This combination creates a perfect opening for attackers who intentionally prepare their campaigns weeks in advance and deploy automated tools when stores are at their busiest.

Security analysts consistently report that fraudulent bot traffic, password-testing attempts, and customer account intrusions grow sharply during the weeks surrounding Black Friday, festive sales, and year-end shopping events. Attackers time their operations carefully because the chance of slipping through undetected is higher when systems are strained and retailers are focused on maintaining performance rather than investigating anomalies.

A critical reason criminals favor this season is the widespread reuse of passwords. Large collections of leaked usernames and passwords circulate on criminal forums, and attackers use automated software to test these combinations across retail login pages. These tools can attempt thousands of logins per minute. When one match succeeds, the attacker gains access to stored payment information, saved addresses, shopping histories, loyalty points, and in some cases stored tokenized payment methods. All of these can be exploited immediately, which makes the attack both low-effort and highly profitable.

Another layer of risk arises from the credentials of external partners. Many retailers depend on vendors for services ranging from maintenance to inventory support, which means third-party accounts often hold access to internal systems. Past retail breaches have shown that attackers frequently begin their intrusion not through the company itself but through a partner whose login rights were not secured with strong authentication or strict access controls. This amplifies the impact far beyond a single compromised account, highlighting the need for retailers to treat vendor and contractor credentials with the same seriousness as internal workforce accounts.

Balancing security with customer experience becomes especially challenging during peak seasons. Retailers cannot introduce so much friction that shoppers abandon their carts, yet they also cannot ignore the fact that most account takeovers begin with weak, reused, or compromised passwords.

Modern authentication frameworks recommend focusing on password length, screening new passwords against known breach data, and reducing reliance on outdated complexity rules that frustrate users without meaningfully improving security. Adaptive multi-factor authentication is viewed as the most practical solution. It triggers an additional verification step only when something unusual is detected, such as a login from an unfamiliar device, a significant change to account settings, or a suspicious location. This approach strengthens security without slowing down legitimate customers.

Internal systems require equal attention. Administrative dashboards, point-of-sale backends, vendor portals, and remote-access platforms usually hold higher levels of authority, which means they must follow a stricter standard. Mandatory MFA, centralized identity management, unique employee credentials, and secure vaulting of privileged passwords significantly reduce the blast radius of any single compromised account.

Holiday preparedness also requires a layered approach to blocking automated abuse. Retailers can deploy tools that differentiate real human activity from bots by studying device behavior, interaction patterns, and risk signals. Rate limits, behavioral monitoring for credential stuffing, and intelligence-based blocking of known malicious sources help limit abuse without overwhelming the customer experience. Invisible or background challenge mechanisms are often more effective than traditional CAPTCHAs, which can hinder sales during peak traffic.

A final but critical aspect of resilience is operational continuity. Authentication providers, SMS delivery routes, and verification systems can fail under heavy demand, and outages during peak shopping hours can have direct financial consequences. Retailers should run rehearsals before the season begins, including testing failover paths for sign-in systems, defining emergency access methods that are short-lived and fully auditable, and ensuring there is a manual verification process that stores can rely on if digital systems lag or fail. Running load tests and tabletop exercises helps confirm that backup procedures will hold under real stress.

Strengthening password policies and monitoring for compromised credentials also plays a vital role. Tools that enforce password screenings against known breach databases, encourage passphrases, restrict predictable patterns, and integrate directly with directory services allow retailers to apply consistent controls across both customer-facing and internal systems. Telemetry from these tools can reveal early signs of suspicious behavior, providing opportunities to intervene before attackers escalate their actions.

With attackers preparing earlier each year and using highly automated methods, retailers must enter the holiday season with defenses that are both proactive and adaptable. By tightening access controls, reinforcing authentication, preparing for system failures, and using layered detection methods, retailers can significantly reduce the likelihood of account takeovers and fraud, all while maintaining smooth and reliable shopping experiences for their customers.


Read more »
Synthient
Credential Stuffing Cyber Security Data Breach exposed emails Have I Been Pwned password leak Synthient

Massive Leak Exposes 1.3 Billion Passwords and 2 Billion Emails — Check If Your Credentials Are at Risk

 

If you haven’t recently checked whether your login details are floating around online, now is the time. A staggering 1.3 billion unique passwords and 2 billion unique email addresses have surfaced publicly — and not due to a fresh corporate breach.

Instead, this massive cache was uncovered after threat-intelligence firm Synthient combed through both the open web and the dark web for leaked credentials. You may recognize the company, as they previously discovered 183 million compromised email accounts.

Much of this enormous collection is made up of credential-stuffing lists, which bundle together login details stolen from various older breaches. Cybercriminals typically buy and trade these lists to attempt unauthorized logins across multiple platforms.

This time, Synthient pulled together all 2 billion emails and 1.3 billion passwords, and with help from Troy Hunt and Have I Been Pwned (HIBP), the entire dataset can now be searched so users can determine if their personal information is exposed.

The compilation was created by Synthient founder Benjamin Brundage, who spent months gathering leaked credentials from countless sources across hacker forums and malware dumps. The dataset includes both older breach data and newly stolen information harvested through info-stealing malware, which quietly extracts passwords from infected devices.

According to Troy Hunt, Brundage provided the raw data while Hunt independently verified its authenticity.

To test its validity, Hunt used one of his old email addresses — one he already knew had appeared in past credential lists. As expected, that address and several associated passwords were included in the dataset.

After that, Hunt contacted a group of HIBP subscribers for verification. By choosing some users whose data had never appeared in a breach and others with previously exposed data, he confirmed that the new dataset wasn’t just recycled information — fresh, previously unseen credentials were indeed present.

HIBP has since integrated the exposed passwords into its Pwned Passwords service. Importantly, this database never links email addresses to passwords, maintaining privacy while still allowing users to check if their passwords are compromised.

To see if any of your current passwords have been leaked, visit the Pwned Passwords page and enter them. Your passwords are never sent to a server — the entire check is processed locally in your browser through an anonymity-preserving method.

If any password you use appears in the results, change it immediately. You can rely on a password manager to generate strong replacements, or use free password generators from tools like Bitwarden, LastPass, and ProtonPass.

The single most important cybersecurity rule remains the same: never reuse passwords. When criminals obtain one set of login credentials, they try them across other platforms — an attack method known as credential stuffing. Because so many people still repeat passwords, these attacks remain highly successful.

Make sure every account you own uses a strong, complex, and unique password. Password managers and built-in password generators are the easiest way to handle this.

Even the best password may not protect you if it’s stolen through a breach or malware. That’s why Two-Factor Authentication (2FA) is crucial. With a second verification step — such as an authenticator app or security key — criminals won’t be able to access your account even if they know the password.

You should also safeguard your devices against malware using reputable antivirus tools on Windows, Mac, and Android. Info-stealing malware, often spread through phishing attacks, remains one of the most common ways passwords are siphoned directly from user devices.

If you’re interested in going beyond passwords altogether, consider switching to passkeys. These use cryptographic key pairs rather than passwords, making them unguessable, non-reusable, and resistant to phishing attempts.

Think of your password as the lock on your home’s front door: the stronger it is, the harder it is for intruders to break in. But even with strong habits, your information can still be exposed through breaches outside your control — one reason many experts, including Hunt, see passkeys as the future.

While it’s easy to panic after reading about massive leaks like this, staying consistent with good digital hygiene and regularly checking your exposure will keep you one step ahead of cybercriminals.
Read more »
Zero Trust
Credential Stuffing Cybersecurity Breach Data Leak Digital Risk Malware Logs Password Security Privacy Stolen Credentials Threat Intelligence Zero Trust

Digital Security Threat Escalates with Exposure of 1.3 Billion Passwords


 

One of the starkest reminders of just how easily and widely digital risks can spread is the discovery of an extensive cache of exposed credentials, underscoring the persistent dangers associated with password reuse and the many breaches that go unnoticed by the public. Having recently clarified the false claims of a large-scale Gmail compromise in the wake of Google’s recent clarification, the cybersecurity community is once again faced with vast, attention-grabbing figures which are likely to create another round of confusion. 

Approximately 2 billion emails were included in the newly discovered dataset, along with 1.3 billion unique passwords that were found in the dataset, and 625 million of them were not previously reported to the public breach repository. It has been emphasised that Troy Hunt, the founder of Have I Been Pwned, should not use sensationalism when discussing this discovery, as he stresses the importance of the disclosure. 

It is important to note that Hunt noted that he dislikes hyperbolic news headlines about data breaches, but he stressed that in this case, it does not require exaggeration since the data speaks for itself. Initially, the Synthient dataset was interpreted as a breach of Gmail before it was clarified to reveal that it was actually a comprehensive collection gathered from stealer logs and multiple past breaches spanning over 32 million unique email domains, and that it was a comprehensive collection. 

There's no wonder why Gmail appears more often than other email providers, as it is the world's largest email service provider. The collection, rather than a single event, represents a very extensive collection of compromised email and password pairs, which is exactly the kind of material that is used to generate credential-stuffing attacks, where criminals use recycled passwords to automate attempts to access their banking, shopping, and other online accounts. 

In addition to highlighting the dangers associated with unpublicized or smaller breaches, this new discovery also underscores the danger that even high-profile breaches can pose when billions of exposed credentials are quietly redirected to attackers. This newly discovered cache is not simply the result of a single hack, but is the result of a massive aggregation of credentials gathered from earlier attacks, as well as malware information thieves' logs, which makes credential-based attacks much more effective.

A threat actor who exploits reused passwords will have the ability to move laterally between personal and corporate services, often turning a compromised login into an entry point into an increasingly extensive network. A growing number organisations are still dependent on password-only authentication, which poses a high risk to businesses due to the fact that exposed credentials make it much easier for attackers to target business systems, cloud platforms, and administrative accounts more effectively. 

The experts emphasised the importance of adopting stronger access controls as soon as possible, including the generation of unique passwords by trusted managers, the implementation of universal two-factor authentication, and internal checks to identify credentials which have been reused or have previously been compromised. 

For attackers to be able to weaponise these massive datasets, enterprises must also enforce zero-trust principles, implement least-privilege access, and deploy automated defences against credential-stuffing attempts. When a single email account is compromised, it can easily cascade into financial, cloud or corporate security breaches as email serves as the central hub for recovering accounts and accessing linked services. 

Since billions of credentials are being circulated, it is clear that both individuals and businesses need to take a proactive approach to authentication, modernise security architecture, and treat every login as if it were a potential entry point for attackers. This dataset is also notable for its sheer magnitude, representing the largest collection of data Have I Been Pwned has ever taken on, nearly triple the volume of its previous collection.

As compiled by Synthient, a cybercriminal threat intelligence initiative run by a college student, the collection is drawn from numerous sources where stolen credentials are frequently published by cybercriminals. There are two highly volatile types of compromised data in this program: stealer logs gathered from malware on infected computers and large credential-stuffing lists compiled from earlier breaches, which are then combined, repackaged and traded repeatedly over the underground networks. 

In order to process the material, HIBP had to use its Azure SQL Hyperscale environment at full capacity for almost two weeks, running 80 processing cores at full capacity. The integration effort was extremely challenging, as Troy Hunt described it as requiring extensive database optimisation to integrate the new records into a repository containing more than 15 billion credentials while maintaining uninterrupted service for millions of people every day.

In the current era of billions of credential pairs being circulated freely between attackers, researchers are warning that passwords alone do not provide much protection any more than they once did. One of the most striking results of this study was that of HIBP’s 5.9 million subscribers, or those who actively monitor their exposure, nearly 2.9 million appeared in the latest compilation of HIBP credentials. This underscores the widespread impact of credential-stuffing troves. The consequences are especially severe for the healthcare industry. 

As IBM's 2025 Cost of a Data Breach Report indicates, the average financial impact of a healthcare breach has increased to $7.42 million, and a successful credential attack on a medical employee may allow threat actors to access electronic health records, patient information, and systems containing protected health information with consequences that go far beyond financial loss and may have negative economic consequences as well.

There is a growing concern about the threat of credential exposure outpacing traditional security measures, so this study serves as a decisive reminder to modernise digital defences before attackers exploit these growing vulnerabilities. Organisations should be pushing for passwordless authentication, continuous monitoring, and adaptive risk-based access, while individuals should take a proactive approach to maintaining their credentials as an essential rather than an optional task. 

Ultimately, one thing is clear: in a world where billions of credentials circulate unchecked, the key to resilience is to anticipate breaches by strengthening the architecture, optimising the authentication process and maintaining security awareness instead of reacting to them after a breach takes place.
Read more »
PayPal Data Breach
Credential Stuffing Cybercrime Forum Dark Web Markets Infostealer malware Multi Factor Authentication Password Security PayPal Data Breach

PayPal Password Leak Puts Millions of Users on High Alert

 


It has been reported that millions of PayPal accounts have been traded on underground forums, which has raised a new wave of alarm in the ever-evolving landscape of cybercrime. Using the moniker “Chucky_BF”, a hacker announcing the availability of a dataset of 15.8 million PayPal accounts for the startlingly low price of $750 USD has advertised what he claims is a dataset of 15.8 million PayPal accounts. 

There has been widespread discussion across social media about the trove, which allegedly contains a 1.1 gigabyte text file that stores plaintext email and password combinations, making them accessible and ready for immediate use for malicious purposes. According to the hacker, the records he created cover a wide range of email providers, such as Gmail, Yahoo, Hotmail, among others, suggesting that the victims are spread around the globe. 

A concern, however, may be the inclusion of PayPal-specific login URLs and mobile URLs, which appear to be structured in such a way as to facilitate an automated exploit. The stolen credentials are organized along with direct links to PayPal sign-in portals that you can use to sign into PayPal—for example, the /signin, /signup, /connect, and the Android application URIs—in a way that makes them easy for cybercriminals to deploy as a toolkit. 

According to screenshots of the offer being circulated on the internet, there are rows of raw email:password:url entries, an information dump format commonly used in underground credential dumps. Even though the authenticity of the data has not been confirmed, due to its structured nature and low asking price, concerns have been raised that the data could rapidly be acquired by cybercriminals eager to exploit any portion of the data.

Those who would want to be attackers could use a dataset like this as the foundation for credential stuffing attacks, phishing campaigns, or even large-scale fraud against PayPal users across multiple countries if they wanted to make such a purchase. 

Not just because of the numbers, but because PayPal is a trusted platform for millions of businesses and individuals throughout the world, the hacker’s bold claims have caught the attention of the world. The central player in the global ecosystem of digital payments, even unverified reports of a massive leak raise immediate questions regarding the potential financial loss, the reputational damage, and the security of user identities in an environment that is becoming increasingly hostile. 

It is important to note, however, that while the alleged dataset has sparked headlines, experts emphasise that a thorough analysis of the situation is necessary. Neither PayPal nor any of its subsidiaries have ever been directly breached by large-scale attackers who have taken millions of user records from the company's systems. This distinction is crucial because previous incidents related to PayPal—such as one involving around 35,000 users—were attributed to credential stuffing or the use of previously stolen data, not to flaws within PayPal's own infrastructure. 

If the claims made by "Chucky_BF" are accurate, it appears as though the dataset has more likely come from an infostealer malware infection than from PayPal's servers themselves. A malicious program, known as an infostealer malware infection, infects computers and mobile devices and can often be delivered through phishing emails, malicious downloads, or compromised websites in order to gain access to personal data. 

It has been shown that the malware is silently extracting stored login information, browser history, cookies, and autofill information from a system once inside, then sending this information to cybercriminals. This theory is supported by the fact that the hacker shared samples that included PayPal login URLs and Android URIs. In contrast to the centralised dump that PayPal's systems may have produced, this dataset may have gathered stolen logs from compromised personal devices all over the world, carefully restructured to appear as if they were stolen from PayPal. 

The practice of rebranding or repackaging stolen data is common within cybercrime markets, where rebranding can enhance a person's perception of how valuable it is. Recent discoveries strengthen this belief. Researchers identified 184 million login credentials, including unique usernames and passwords, that had been exposed through a misconfigured cloud server in May of 2025, according to cybersecurity researcher Jeremiah Fowler. 

In the same way that PayPal credentials are believed to have been retrieved via infostealer malware rather than through a direct company breach, those credentials are almost certainly the result of infostealer malware. Information-stealing malware is extremely destructive. In Hudson Rock's research, it has been determined that such malware is not only readily available on the dark web but has been successfully infiltrating not just individual users, but also critical institutions, according to Hudson Rock's research. 

It was found that employees of some of the most sensitive organisations in the United States had been infected by the virus, including the Pentagon, Lockheed Martin, Honeywell, branches of the military, and even the FBI, according to the analysis. Taking advantage of infostealers highlights that even institutions that have robust security frameworks can be compromised, which underscores how vulnerable consumers may be to similar threats that they are not aware of or are unable to protect themselves from. 

PayPal users face immediate and multifaceted risks if the data is fabricated or recycled, millions of real credentials are still in circulation despite the fact that some of the data may be fabricated or recycled. The information that cybercriminals possess can be used to launch credential stuffing attacks in which stolen email-password pairs are tested across multiple platforms in search of accounts whose credentials are reusable. Because most individuals recycle the same login information across a wide range of financial, e-commerce, and social platforms, a compromise of a single PayPal account can lead to an overall e-commerce invasion. 

Besides direct financial theft, there are also other risks associated with structured datasets such as this, including phishing campaigns that can be created to mimic PayPal login pages and lure victims into providing updated credentials. This data can also be used for social engineering purposes by attracting individuals to tailored scams that exploit their trust in financial institutions. Depending on the extent of the data, there could be a loss of revenue, fraud, and recovery costs of billions of dollars, depending on whether it was authentic. 

As of the time of writing, PayPal has not confirmed or denied the authenticity of the dataset. HackRead.com, which reported the sale, was also unable to independently confirm the claims. I have contacted the company to get their opinion, but I anticipate that any confirmation or rebuttal of the statement would affect the level of response its global user base will require. However, vigilance has not been abandoned by cybersecurity experts in cases where unverified leaks make headlines. 

In cases where unverified leaks make headlines, it would be prudent for users to assume the worst and take proactive measures to protect themselves. Analysts recommend that all PayPal users immediately: Reset their PayPal password to a strong, unique one. Enable Multi-Factor Authentication (MFA), ideally through an authenticator app instead of SMS. 

Check linked email accounts for unusual login activity. Use password managers to avoid reusing credentials across multiple platforms. Run updated antivirus and anti-malware scans on devices to detect possible infections. Monitor financial transactions closely, enabling alerts for any suspicious payments. Consider identity theft protection services, particularly for users who conduct significant business via PayPal. 

Experts also stress the importance of an overall digital hygiene program. As infostealer malware has emerged as one of the most potent and pervasive forms of cybersecurity, experts advise updating software regularly, being cautious when browsing, and being sceptical when receiving unsolicited emails or downloading files. 

A significant risk reduction can be achieved for businesses, especially those relying heavily on PayPal for e-commerce, by implementing endpoint protection solutions and employee training programs. The alleged theft of PayPal credentials serves as a stark reminder of the fragile balance between trust and e-commerce in general. 

In spite of the fact that PayPal may not have suffered any direct breaches, the reputational fallout of its brand and its users still lingers, especially when the company's brand is compromised. With the rise of cybercrime marketplaces, stolen or recycled data will likely continue to be retrieved, repackaged, and sold to eager customers for the foreseeable future. 

The only way to stay ahead of attackers is to practice proactive security, so the only way to protect yourself is to stay ahead of them. As a result, whether the 15.8 million credentials that were advertised by “Chucky_BF” represented a real new breach, a compilation of stolen logs, or simply a rebranded dump of older leaks, the underlying issue remains the same: in today's digital economy, personal data is a commodity and vigilance is not optional - it is the price of taking part. 

The lesson from this episode is clear: your password should not be changed after confirmation, but now rather than later. Considering the ever-expanding digital landscape, incidents such as the alleged sale of PayPal credentials underscore a more important truth that security is no longer just an optional layer of protection, but a fundamental responsibility of everyone involved in the online economy today. In addition to immediate countermeasures like password resets or multifactor authentication, users must adopt a mindset of continuous cyber-resilience in addition to these immediate countermeasures. 

Digital accounts should be treated in the same way as physical assets in order to prevent them from being compromised. It is essential to pay close attention to the evolving nature of threats and take the time to utilise tools that go beyond basic security hygiene to detect compromised credentials early, such as hardware security keys, zero-trust authentication models, and regular dark web monitoring. 

There is no doubt that in an environment where a brand's reputation is fragile, cybersecurity awareness is integral to a business's daily operations, especially for small businesses that rely heavily on platforms like PayPal. By embedding cybersecurity awareness into everyday operations, businesses are not only protecting revenues but also strengthening customer trust. 

A proactive approach to layered defences can ultimately be a source of peace of mind for the individual, who is confident that he or she will not be perpetually vulnerable to unseen adversaries while transacting, communicating, and operating online. Cybersecurity may seem complicated at first glance, but it is the discipline of foresight, vigilance, and accountability that ensures digital trust remains strong in the long run.
Read more »
Password Breach
Credential Stuffing Cyber Fraud Cybersecurity Infostealer Malware Password Breach

Massive Password Breach Fuels Rise of Automated Credential-Stuffing Attacks

 

If you’re still relying solely on passwords to protect your digital life, this might be your wake-up call. A surge in infostealer malware has compromised billions of credentials, with 85 million fresh passwords now actively being used in cyberattacks. And even with two-factor authentication (2FA), you're not necessarily safe — hackers are leveraging stolen session cookies to bypass 2FA protections entirely.

This threat has escalated with the emergence of a sophisticated hacking tool: Atlantis AIO. A recent threat intelligence report by Abnormal Security warns that this automated credential-stuffing machine is exploiting stolen credentials to infiltrate everything from email and VPNs to streaming and food delivery services.

“Atlantis AIO has emerged as a powerful weapon in the cybercriminal arsenal,” Abnormal Security analysts said, “enabling attackers to test millions of stolen credentials in rapid succession.”

Credential stuffing isn’t a new concept — but it’s becoming more dangerous. Cybercriminals are constantly refining tools to make these attacks more efficient. In a previous report from March 15, internal chat logs from the Black Basta ransomware group exposed how an automated brute-force attack system was being used to infiltrate accounts.

Both brute-force and credential-stuffing attacks work by bombarding accounts with endless combinations of usernames and passwords. By leveraging databases of breached credentials from the dark web and criminal forums, hackers can easily gain access to multiple accounts that share reused passwords.

What sets Atlantis AIO apart is its plug-and-play structure. It offers pre-configured modules tailored to target over 140 different platforms — from popular email providers like Hotmail, Yahoo, AOL, GMX, and Web.de, to VPNs, streaming platforms, banking apps, and food delivery services.

The message is clear: if you're still reusing passwords, it's time to rethink your security habits. Passwords alone are no longer enough to stay safe online.

Read more »
multifactor authentication
Account Takeover Atlantis AIO Credential Stuffing Cyber Crime multifactor authentication

Malicious Actors Employ Atlantis AIO to Target 140+ Platforms

 

A new cybercrime platform dubbed 'Atlantis AIO' provides automatic credential stuffing against 140 internet platforms, including email, e-commerce, banking, and VPNs. Atlantis AIO includes pre-configured modules for performing brute force assaults, bypassing CAPTCHAs, automating account recovery operations, and monetising stolen credentials/accounts. 

Credential stuffing and automation 

Credential stuffing is a type of cyberattack in which attackers utilise a list of credentials (usernames and passwords) stolen or acquired via leaked data breaches to gain access to accounts on sites.

If the credentials match and the account is not safeguarded by multi-factor authentication, they can take over the account, shut out the legitimate owner, and then abuse or resell it to others. This type of attack is common and ubiquitous, with major credential-stuffing attacks happening every day. 

Over time, these attacks have had an impact on businesses and services such as Okta, Roku, Chick-fil-A, Hot Topic, PayPal, PetSmart, and 23andMe. Credential stuffing assaults are regularly carried out by malicious actors using free tools such as Open Bullet 2 and SilverBullet, as well as prepackaged "configs" available on cybercrime forums. 

Credential stuffing as a service 

Atlantis AIO is a new Credential Stuffing as a Service (CSaaS) platform that enables attackers to pay for a membership and automate such operations

Abnormal Security identified the cybercrime service Atlantis AIO, which says that it can target over 140 online services globally. Hotmail, AOL, Mail.ru, Mail.com, Gmx, Wingstop, Buffalo Wild Wings, and Safeway are among the services being targeted. Atlantis AIO is a modular tool that allows cybercriminals to launch targeted assaults. Its three major modules are: 

  • Email account testing: Automates brute-force and takeover efforts on popular email services such as Hotmail, Yahoo, and Mail.com, allowing cybercriminals to take control of accounts and access inboxes for phishing or data theft. 
  • Brute force assaults: Rapidly cycles through common or weak passwords on targeted platforms in order to breach accounts with poor password management. 
  • Account recovery: Account recovery processes are exploited (for example, on eBay and Yahoo), CAPTCHAs are bypassed, and takeovers are automated using programs such as "Auto-Doxer Recovery" for faster and more efficient credential exploitation.

When cybercriminals gain access to accounts, they frequently sell them in bulk, posting hundreds or even thousands of compromised accounts for sale on underground forums. Other threat actors set up stores to sell stolen accounts for as little as $0.50 per account. 

Prevention tips 

You can prevent credential stuffing attacks by using multi-factor authentication and strong, one-of-a-kind passwords on all websites where you have accounts. Even if credentials are compromised, threat actors will be unable to log in without also acquiring the MFA information, which is why multi-factor authentication is so important. 

If online services notify you of odd logins from odd places or unexpected emails requesting a password reset, you should look into if your credentials were compromised right away. Websites can help prevent these attacks by introducing rate limitation and IP throttling, utilising complex CAPTCHA puzzles, and monitoring for unusual behaviour patterns.
Read more »
Roku
2FA Credential Stuffing Data Breach Password Roku

Roku Security Breach Exposes Over 500,000 User Accounts to Cyber Threats

 


In a recent set of events, streaming giant Roku has disclosed an eminent security breach affecting over half a million user accounts. Following a recent data breach, Roku has uncovered additional compromised accounts, totaling approximately 576,000 users affected by the breach.

Security Breach Details

Last month, Roku announced that around 15,000 customers might have had their sensitive information, including usernames, passwords, and credit card details, stolen by hackers. These stolen credentials were then utilised to gain unauthorised access to other streaming platforms and even to purchase streaming gear from Roku's website. Subsequently, the compromised Roku accounts were sold on the dark web for a mere $0.50 each.

Method of Attack

The hackers employed a tactic known as "credential stuffing" to gain access to the jeopardised accounts. This method relies on using stolen usernames and passwords from other data breaches to gain unauthorised access to various accounts. It highlights the importance of avoiding password reuse across different platforms, no matter how convenient the idea of having one go-to password may seem. 

Proactive Measures by Roku

Roku took proactive steps in response to the security incidents. While investigating the initial breach, the company discovered a second similar incident affecting over 500,000 additional accounts. Roku clarified that there's no evidence indicating that their systems were directly laid on the line. Instead, the hackers likely obtained the credentials from external sources, such as previous data breaches or leaks.

Protecting Your Roku Account

To safeguard users' accounts, Roku has implemented several measures. Firstly, the company has reset the passwords for all affected accounts and initiated direct notifications to affected customers. Additionally, Roku is refunding or reversing any unauthorised charges made by hackers. Furthermore, two-factor authentication (2FA) has been enabled for all Roku accounts, adding an extra layer of security.

User Precautions

Despite Roku's efforts, users are advised to take additional precautions. It's crucial to use strong, unique passwords for each online account, including Roku. Password managers can assist in generating and securely storing complex passwords. Additionally, users should remain watchful for any suspicious activity on their accounts and monitor their bank statements closely.

As Roku continues its investigations, users are urged to stay cautious online. There's a possibility of hackers attempting targeted phishing attacks using stolen information. Therefore, users should exercise caution when interacting with emails purportedly from Roku and verify the authenticity of any communication from the company.

The recent security breaches bear down on the critical need for strong cybersecurity practices by both companies and users. While Roku has taken considerable steps to address the issue, users must remain proactive in protecting their accounts from potential threats. Stay informed and take necessary precautions to safeguard your online ecosystem. 

Read more »
Data Theft
2-Step Verification 23andMe Credential Stuffing Data Breach Data Theft

What are 'Credential Stuffing' Attacks and 2-Step Verification?

In the Light of 23andMe Security Incident Following up on the recent security breach of 23andMe that impacted around 14,000 customer accounts, the security incident underscored the utilization of a cybersecurity tactic known as "credential stuffing," where unauthorized access is gained by exploiting known passwords, potentially sourced from previous data breaches. 

As per a new filing, the information, which typically encompassed details about ancestry and, in some cases, health-related data derived from users' genetics, was acquired through a credential-stuffing attack. In this type of cyber attack, hackers leveraged login details obtained from previously breached websites to gain unauthorized access to users' accounts on various platforms. 

The threat actor not only breached individual accounts but also accessed numerous files containing profile information about other users' ancestry. These files were originally shared by users who opted in to 23andMe's DNA Relatives feature, and the compromised information was subsequently posted online by the attackers. 

Let's Understand 'Credential Stuffing' 

Credential stuffing is a cyber attack method in which attackers use automated tools to systematically and rapidly input large volumes of username and password combinations (credentials) into online login forms. These credentials are typically obtained from previous data breaches or leaks on other websites or services. 

The attack relies on the fact that many people reuse the same username and password across multiple online platforms. When attackers acquire a list of compromised credentials, they use automated tools to "stuff" or try these credentials on various websites, hoping to gain unauthorized access to user accounts. The success of credential stuffing attacks depends on the prevalence of password reuse among users. 

To protect against such attacks, individuals must use unique passwords for different online accounts and for organizations to implement security measures such as multi-factor authentication (MFA) to add an extra layer of protection. 

23andMe Holding Co., headquartered in South San Francisco, California, is a prominent player in the field of personal genomics and biotechnology. Renowned for its direct-to-consumer genetic testing service, the company invites customers to submit a saliva sample for laboratory analysis. Through single nucleotide polymorphism genotyping, the genetic data is deciphered to produce comprehensive reports on the customer's ancestry and predispositions to health-related conditions. 

This innovative approach has positioned 23andMe as a key player in the dynamic landscape of genetic testing, offering individuals valuable insights into their genetic makeup. Also, the company mentioned that when the hackers got into those accounts, they could see a lot of files with information about other users' family backgrounds. These were the users who decided to share details through 23andMe's DNA Relatives feature. However, the company did not say exactly how many of these files were or how many "other users" were impacted. 

Following the breach, 23andMe took swift action by advising users to reset their passwords. Additionally, the company strongly recommended the adoption of multi-factor authentication as a vital measure to boost security. By November 6, 23andMe escalated its security measures, making it mandatory for all users to enable two-step verification, providing an extra layer of defense for user accounts. 

What is 2-Step Verification and How Does it Prevent Credential Stuffing Attacks? 

Two-step verification (2SV) is an authentication method that adds an extra layer of security to the login process. Users must provide a second form of verification, such as a temporary code sent to their phone, in addition to the usual password. 

This additional step significantly reduces the risk of credential-stuffing attacks. Even if attackers acquire login credentials from one source, they would still need the second verification factor to access the account. 2SV serves as a crucial deterrent, enhancing overall security and making it more challenging for unauthorized access through automated credential-stuffing techniques.
Read more »
User Security
Credential Stuffing Data Breach Data Leak Restaurant Chain User Privacy User Security

Consumers of Chick-fil-A had Grievances Following Account Takeovers

 

An automated credential stuffing attack that affected more than 71,000 customers of Chick-fil-A, an American food chain,for months has been made known to its clients. 

Attacks that use automation—often through bots—to test a large number of username-password combinations against targeted online accounts are known as credential stuffing. The practise of users using the same password for numerous online services has made this kind of attack vector possible; as a result, the login information used in credential stuffing attacks is frequently obtained from other data breaches and is made available for purchase from a variety of Dark Web sources.

"Following a careful investigation, we determined that unauthorised parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source," the company said in a letter to those impacted. 

Customers' names, email addresses, membership numbers, mobile pay numbers, and masked credit or debit card numbers (meaning that unauthorised parties could only see the last four digits of the payment card number) were among the personal information that was compromised. Some clients' phone numbers, residences, birthdays, and months of birth were also made public.

In response to the attacks, Chick-fil-A said it has deleted stored credit and debit card payment methods, temporarily blocked cash that had been put onto customers' Chick-fil-A One accounts, and restored any balances that had been adversely affected. 

Also, the restaurant chain advised customers to change their passwords and use a secure password that is exclusive to the website. Some people pointed out that even while password reuse or the use of obvious and weak passwords is the users' fault, Chick-fil-A is still somewhat to blame. 

"This is the new frontier of information security: Attackers have gained access to these users' accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites," says Uriel Maimon, vice president of emerging products at PerimeterX. "Nonetheless, organisations are required by law and morality to protect the private and financial information of their users." 

"This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers,”Maimon added. 

Rise in credential stuffing attacks

Credential stuffing has increased recently as a result of the massive supply of credentials available for purchase on the Dark Web. According to an analysis this week, the selling of stolen credentials rules underground markets, with more than 775 million credentials available right now. 

A credential-stuffing assault that disclosed personal information in January that was targeting roughly 35,000 PayPal user accounts exposed nearly 35,000 PayPal user accounts. In the same month, Norton LifeLock warned users about the dangers of being exposed to its own credential-stuffing assault. 

Also, a larger discussion has been sparked by the situation. Some security experts have suggested methods to completely do away with passwords, such as replacing them with security keys, biometrics, and FIDO (Fast Identity Online) technology. This is because nearly two-thirds of people reuse passwords to access various websites.
Read more »
FBI
Credential Stuffing Credentials Theft Cyber Attacks FBI

FBI Alerts About Credential Stuffing Attacks, Configurations and Proxies Used


What is Credential Stuffing?

Credential stuffing attacks, also known as account cracking , consist trying to get online accounts via password and username combos from existing data leaks or which were bought on dark web forums. 

Depending on the fact that users keep using the same login for various accounts, credential stuffing attacks usually lead to significant financial damage caused by fraud purchases and system remediation and downtime, but also lead towards reputational damage. 

How is the attack done?

The use of authentic credentials lets hackers to access accounts and services across different sectors, this includes healthcare, media companies, restaurant groups, retail chains, and food delivery firms. 

Once the accounts are breached, the hackers make fake purchases of goods and services, trying to access extra online resources, this includes additional financial accounts. FBI warns that proxies and configurations let cybercriminals to automate exploitation and brute force of accounts. 

FBI involved 

FBI said in particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts. 

FBI has issued a warning that hackers can buy combo lists of login credentials from dedicated platforms and websites with configs (configurations) that let hackers to modify credential stuffing tools for targeting victims. 

The configuration consists HTTPS request format, website's address, how to identify successful attempts, if proxies are needed etc. The FBI also said that cybercriminals can get video tutorials to learn how credential stuffing can use to hack accounts. 

Security Week says "to bypass defenses, threat actors may employ proxies, including legitimate proxy services, to obfuscate their actual IP addresses. According to the FBI, cybercriminals have extensively used residential proxies to execute credential stuffing attacks, as these are blocked less frequently compared to proxies associated with data centers."

Read more »
Financial Data Breach
Credential Stuffing Data Breach EV sector Financial Data Breach

E-Bike Phishing Sites Abuse Google Ads to Push Scams

 

A large-scale phishing campaign making headlines involving over 200 scam sites that are deceiving users into providing their sensitive data to the fake investments schemes impersonating genuine brands.
Following the news, two cyber security analysts Ankit Dobhal and Aryan Singh have stated in their research that this phishing campaign has caused financial damages of up to $1,000,000, coming from tens of thousands of victims. 

The fraudulent operation was discovered by the Singaporean security firm CloudSEK, which has shared its report with media firms enunciating that this phishing campaign apparently victimized the Indian audiences through Google Ads and SEO by drawing them to hundreds of fake websites. 

The Indian government has recently launched favorable policies to uplift the growth of the country's electric vehicle sector. According to the Indian analysis reports, before the end of this decade, these new policies will bring a growth of 90% (CAGR) for the Indian EV sector, making it a $200 billion sector. The Country is already experiencing a boost in this sector, over 400 EV start-ups have already taken place while existing automotive companies are also promoting their operations in the EV sector. 

Because of the boom in this industry, the group of Cyber threat actors victimized people with an explosion of websites attempting to exploit victims with fake information. The malicious actors ensure a steady influx of potential victims by abusing Google Ads, stuffing their phony sites with keywords, and impersonating popular companies such as Revolt and Ather. 

It has been noticed in many cases that the threat actors simply copy the content, layout, style, and all images of the genuine sites and create clones. Furthermore, in other cases, the scammers make entirely fictional marketplaces using generic words like "ebike". 

When users login into the websites, the scammers instruct them to enter their full address including their names, email addresses, contact numbers, to register on the platforms. After the registration, the scammers ask them to pay the required fee to become an EV dealer or purchase a product on the site.
Read more »
User Security
Credential Stuffing Cyber Attacks User Privacy User Security

Verizon’s Visible Network Acknowledges Credential Stuffing Attack

 

Visible, an all-digital wireless carrier has finally acknowledged that attackers secured access to customer accounts last week. However, the firm denied the rumors of any intrusion on its backend infrastructure.

US-based firm, which is owned by Verizon, acknowledged the attack after multiple users voiced their complaints on Reddit and other social media sites, saying that attackers hacked their Visible accounts, changed login passwords, updated shipping addresses, and then bought and charged new smartphones to the compromised accounts. 

After facing severe criticism, a Visible spokesperson came forward and confirmed the attack in a Twitter thread, writing that the company was "aware of an issue in which some member accounts were accessed and/or charged without their authorization."

"As soon as we were made aware of the issue, we initiated a review and deployed tools to mitigate the issue, enabling additional controls to further protect our members. Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts," the company claimed. 

The carrier is now urging affected customers to contact them and change the account password immediately. 

"I spotted a $1,175.85 charge to my account coming from Visible. Upon examining further, I discovered a 128GB iPhone 13 Pro Max that had been purchased and sent to an address in New York City, far away from my home in the DC/Virginia area," the company’s user wrote on Reddit account.

"Visible basically offered nothing. I asked them what the hell is this, and they asked me if I had the order number. I said no, since my entire account was hijacked and the emails don't come to me. I asked if I can be given access to my account again, and they said 'We're not sure.' I should be hearing back within 24-48 hours," the user wrote.

In a later message on Reddit, the company denied the allegations of any breach or exploit, claiming that only "a small number of member accounts was changed without their authorization. We don't believe that any Visible systems have been breached or compromised, nor that this unauthorized access to your Visible account is ongoing," the company stated.

"However, for your protection, we recommend you review your account contact information and change your password and security questions to your Visible account. We also recommend that you review any other accounts that share the same email, login, or password, and make any changes you determine necessary to secure those accounts," the firm advised. 

Earlier this year in August, cybercriminals targeted T-Mobile's systems, exposing the sensitive information of more than 50 million current, former, and prospective customers. This indicates that cybercriminals are oozing with confidence and are not hesitating in taking down the big firms.
Read more »
Personal Data
Azure Credential Stuffing Credentials Leak Dark Web Data Breach Disney Mozilla Mozilla Firefox Personal Data

Mozilla: Maximum Breached Accounts had Superhero and Disney Princes Names as Passwords

 

The passwords that we make for our accounts are very similar to a house key used to lock the house. The password protects the online home (account) of personal information, thus possessing an extremely strong password is just like employing a superhero in a battle of heroes and villains. 

However, according to a new blog post by Mozilla, superhero-themed passwords are progressively popping up in data breaches. Though it may sound absurd - following the research done by Mozilla using the data from haveibeenpwned.com, it was evident that most frequent passwords discovered in data breaches were created on either the names of superheroes or Disney princesses. Such obvious passwords make it easier for hackers to attack and hijack any account or system. 

While analyzing the data it was seen that 368,397 breaches included Superman, 226,327 breaches included Batman, and 160,030 breaches had Spider-Man as their passwords. Further, thousands of breaches featured Wolverine and Ironman as well. And not only this research from 2019 showed that 192,023 breached included Jasmine and 49,763 breached included Aurora as their password.

There were 484,4765 breached that had password as ‘princess’ and some Disney + accounts had password as ‘Disney’. This is one of the biggest reasons that support data breaches by hackers and boost their confidence.

With the increasing frequency of compromised account credentials on the dark web, a growing number of businesses are turning to password-less solutions. Microsoft has expanded its password-less sign-in option from Azure Active Directory (AAD) commercial clients to use Microsoft accounts on Windows 10 and Windows 11 PCs. 

Almost all of Microsoft's employees are passwordless, according to Vasu Jakkal, corporate vice president of the Microsoft Security, Compliance, Identity, and Management group.

"We use Windows Hello and biometrics. Microsoft already has 200 million passwords fewer customers across consumer and enterprise," Jakkal said. "We are going completely passwordless for Microsoft accounts. So you don't need a password at all," he further added. 

Though it's common to reuse passwords, it is highly dangerous, yet it's all too frequently because it's simple and people aren't aware of the consequences. Credential stuffing exploits take advantage of repeated passwords by automating login attempts targeting systems utilizing well-known email addresses and password pairings. One must keep changing their passwords from time to time and try to create a strong yet not so obvious password.
Read more »
Gaming
COVID-19 Credential Stuffing Cyber Attacks Discord Gaming

Attackers Pummelled the Gaming Industry During the Pandemic

 

According to Akamai, a content delivery network (CDN), the gaming business has seen more cyberattacks than any other industry during the COVID-19 pandemic. Between 2019 and 2020, web application attacks against gaming organizations increased by 340 %, and by as high as 415 % between 2018 and 2020. “In 2020, Akamai tracked 246,064,297 web application attacks in the gaming industry, representing about 4% of the 6.3 billion attacks we tracked globally,” reads Akamai’s Gaming in a Pandemic report. 

Cybercriminals frequently used Discord to coordinate their operations and discuss best practices on various techniques such as SQL Injection (SQLi), Local File Inclusion (LFI), and Cross-Site Scripting (XSS), according to the company. SQLi assaults were the most common, accounting for 59% of all attacks, followed by LFI attacks, which accounted for nearly a quarter of all attacks, and XSS attacks, which accounted for only 8%. 

“Criminals are relentless, and we have the data to show it,” Steve Ragan, Akamai security researcher and author of the report, was quoted as saying in a press release. “We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices.” 

Credential-stuffing attacks increased by 224% in 2019 compared to the previous year. Surprisingly, distributed denial-of-service (DDoS) attacks decreased by approximately 20% within the same period. Each day, millions of these attacks target the industry, with a peak of 76 million attacks in April, 101 million in October, and 157 million in December 2020, according to Akamai. 

Credential stuffing is a type of automated account takeover attack in which threat actors utilize bots to bombard websites with login attempts based on stolen or leaked credentials. They can then proceed to exploit the victims' personal data once they find the perfect mix of "old" credentials and a new website. 

Last year, these attacks grew so frequent that bulk lists of login names and passwords could be purchased for as little as $5 per million records on dark web marketplaces. Poor cyber-hygiene practices such as reusing the same passwords across many online accounts and employing easy-to-guess passwords could be blamed for the increase in attacks. 

“Recycling and using simple passwords make credential stuffing such a constant problem and effective tool for criminals. A successful attack against one account can compromise any other account where the same username and password combination is being used,” said Steve Ragan.
Read more »
GitHub
Credential Stuffing Cyber Security cybercriminals FTC GitHub

OpenBullet Exploited for Credential Stuffing

 

Credential stuffing, a form of access-related cybercrime, is on the rise and shows no signs of slowing down. Between January 2018 and December 2019, there were 88 billion credential stuffing attacks, according to an Akamai survey.

Credential stuffing is a form of cyberattack in which compromised account credentials are used to obtain unauthorized access to user accounts through large-scale automatic login requests directed towards a web application, usually consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach). Credential stuffing attacks, unlike credential hacking, do not try to brute force or guess any passwords. Using standard web automation software like Selenium, cURL, PhantomJS, or tools built especially for these types of attacks like Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet, the intruder easily automates the logins for a significant number (thousands to millions) of previously discovered credential pairs. 

Since many users repeat the same username/password combination across different pages, credential stuffing attacks are likely. According to one poll, 81 percent of users have reused a password across two or more sites, and 25% of users use the same password across a number of their accounts. 

OpenBullet is a free web-testing tool that allows users to make particular requests on specific web pages. The open-source tool is available on GitHub and can be used for a variety of activities, including data scraping and sorting, automatic penetration testing, and Selenium unit testing. 

For legitimate reasons, such as penetration testing, the app allows users to try several "login:password" variations as credential brute-force attacks on various websites. Cybercriminals, on the other hand, will use it to find legitimate passwords on various websites for nefarious purposes.

A user can import prebuilt configuration files or configs into OpenBullet, one for each website to be checked. It also has a modular editor for making changes to configurations as desired. This is a required function since websites also make minor changes to the way users link to them in order to combat automatic tools like OpenBullet. OpenBullet's GitHub profile, for example, has a note that the tool should not be used for credential stuffing on websites that the user does not own. 

The Federal Trade Commission (FTC) released an advisory in 2017 advising businesses about how to combat credential stuffing, including requiring safe passwords and preventing attacks.
Read more »
Hacking
Credential Stuffing Credit Card Data Breach Hacking

Clothing Brand 'The North Face' Hit By Credential Stuffing Attack, Suffers Data Breach

 

After North Face's website faced a credential stuffing attack, the company has reset the customers' credentials. In a recent cybersecurity incident, North Face informed its customers that it suffered a data breach attack. On its website, the customers can explore through clothing and accessories collection and buy apparel; they can also earn loyalty points when they buy a thing. Further inquiry revealed that hackers attacked The North Face on 8th and 9th October. 

The North Face says, "we strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites because if one of those other websites is breached, your email address and password could be used to access your account at thenorthface.com. Besides, we recommend avoiding using easy-to-guess passwords." In credential stuffing, hackers attack users who re-use their login credentials for different accounts or platforms. The hackers use ID and passwords stolen from other attacks, for instance, a data breach, and use the credentials for hacking purposes. The hackers use stolen login credentials to gain unauthorized access to websites. The entire process is mostly automatic, and now the hackers have modified their strategies and gained leverage in these types of attacks. 

Hackers have been successful in stealing data from prominent organizations like Dunkin Doughnut. The company suffered two cyberattacks in three months. As per the investigation, The North Face believes that it is probable that the hackers stole user credentials from any other source or website and used that information to attack the company's user accounts. According to StatSocial, The North Face leads the U.S market in the clothing and accessories segment, generating $2 Billion of the total $4 Billion revenue in 2019. 

The company didn't reveal the number of customers attacked; however, SimiliarWeb says that The North Face website had 6.96 Million customers in October. "We do not believe that the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution," says The North Face.
Read more »
Subscribe to: Posts (Atom)