Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia
By Cameron Abbott, Michelle Aggromito and Rebecca Gill
Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).
Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.
The key findings of the Report include:
- the largest credential stuffing attacks of 2018 occurred in the video media sector. The market for stolen media and entertainment accounts is thriving as the accounts are sold in bulk;
- the attacks usually occurred after reported data breaches; and
- checker programs (or “All-in-One” applications) such as SNIPR are common. These programs allow attackers to validate stolen credentials or to generate combination lists. The credentials can then be sold, traded or harvested for various types of personal information.
Recent credential stuffing attacks demonstrate how your entire digital life can be exposed following a data breach paired with a credential stuffing attack. A successful credential stuffing attack can significantly damage a brand’s reputation and increase its operational costs – even though the attack wasn’t the brand’s fault.
Businesses should consider implementing multi-factor authentication, which can be effective in preventing credential stuffing attacks. Consumers should also be educated about phishing emails and the dangers of using the same password for all logins!