https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

MSSP Insider


Shutterstock

weak password

Credential Stuffing Compromises More Than 1.1 Million Online Accounts

  • Written by Edward Gately
  • January 6, 2022
The millions of passwords in the wild tied to email addresses provides an easy attack vector.

A credential stuffing scheme has compromised more than 1.1 million online accounts in cyberattacks at 17 well-known companies.

That’s according to New York Attorney General Letitia James. Credential stuffing is a cyberattack  in which attackers use lists of compromised user credentials to breach into a system. Users tend to reuse the same passwords across multiple online services. This allows cybercriminals to use passwords stolen from one company for other online accounts.

New York Attorney General Letitia James

New York Attorney General Letitia James

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” James said.

An attacker that gains access to an account can use it in any number of ways. The attacker can view personal information associated with the account, including a name, address and past purchases. They can use this information in a phishing attack. If the account has a stored credit card or gift card, the attacker may be able to make fraudulent purchases.

Moreover, the attacker could sell the login credentials to another individual on the dark web.

Credential Stuffing Investigation

The Office of the Attorney General (OAG) compiled credentials to compromised accounts at 17 well-known companies. Those include online retailers, restaurant chains and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts. All appeared to have been compromised in credential stuffing attacks.

The OAG alerted each of the 17 companies to the compromised accounts. It urged the companies to investigate and take steps to protect impacted customers. Every company did so. The companies’ investigations revealed that most of the attacks had not previously been detected.

In light of the growing threat of credential stuffing, the OAG launched an investigation to identify businesses and consumers impacted by this attack vector. Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing. It found thousands of posts with customer login credentials that attackers had tested in a credential stuffing attack. Moreover, it confirmed the credentials could be used to access customer accounts at websites or on apps.

The OAG also worked with the companies to determine how attackers had circumvented existing safeguards and provided recommendations for strengthening their data security programs to better secure customer accounts in the future. Over the course of the OAG’s investigation, nearly all of the companies implemented, or made plans to implement, additional safeguards.

Easy Attack Vector

James McQuiggan is security awareness advocate at KnowBe4.

KnowBe4's James McQuiggan

KnowBe4’s James McQuiggan

“With over 8.4 million passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point and easy attack vector for cybercriminals to target various online sites that utilize accounts for their customers,” he said. “These types of attacks give access to personal information about the user, their tax information and of course, their Social Security numbers for them and possibly their immediate family. Additionally, cybercriminals recognize that many organizations or users will not implement additional security measures and use the same password across various website accounts.”

Organizations can protect their customers, users or employees by requiring a multifactor authentication (MFA) from an authenticator app or possibly an text message with a code needed to log in with the password, McQuiggan said.

“If users set up accounts with the previously exposed passwords, they are making it easy for cybercriminals to steal their data,” he said. “Users should ensure they are using strong passwords or passphrases for their various website accounts and, where available, MFA to secure their accounts. This way, in the event of a password credential stuffing attack, it will reduce their risk of exposure to losing their sensitive information.”

Stop Using Old Passwords

Users need to stop using old passwords that were involved in data breaches, McQuiggan said.

The easiest way to see if one’s accounts have been involved in a breach is to check HaveIBeenPwned.com, he said. It tracks email addresses and phone numbers that have been in data breaches over the past 15 years.

Sam Jones is vice president of product management at Stellar Cyber.

“The best practice for enterprises to prevent credential stuffing is to stick to the basics,” he said. “Enforce strong MFA and go passwordless if possible. For end users, given we still live in a password world, the best thing you can do is ensure you don’t reuse passwords across services.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.
Tags: MSPs Best Practices Cloud MSSP Insider Security Vertical Markets

Most Recent


  • Top 20
    Top 20 Stories in January: Avaya, Microsoft, IBM, AWS, Datto, More Layoffs
    ChatGPT cracks our list for the first time. We've also got new hires and security training. But what was No. 1?
  • Update
    Acronis Updates CyberFit Partner Program Amid Rapid Service Provider Growth
    The updates include several programs and promotions for all types of partners.
  • Roll out
    Dell Rolls Out 2023 Partner Program with Addition of Apex+ Category
    Dell leaders signal opportunities for partners despite a weak economy that’s affecting demand.
  • People
    Innovative Business, Partners Clean up in Cox, Rapidscale Awards
    Innovative Business Solutions won three different awards, including won for growth in cloud sales.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Log4j vulnerability
    Log4j Vulnerabilities Threaten All Industries, Verticals Globally
  • Threats
    Cyber Threats Aren’t Letting Up: What to Know for 2022
  • Not Equal
    Not All Security Risks Are Created Equally
  • Evil Santa Hacker
    As Holidays Approach, Log4j Vulnerability Exploitations Continue Unabated

Upcoming Events

View all

Channel Partners Conference & Expo

May 1, 2023 - May 4, 2023

Channel Partners Europe

June 13, 2023 - June 14, 2023

Channel Futures Leadership Summit

October 30, 2023 - November 2, 2023

Galleries

View all

Abundant IoT, Advisors Tackle the eIoT Opportunity

February 6, 2023

Top 20 Stories in January: Avaya, Microsoft, IBM, AWS, Datto, More Layoffs

February 6, 2023

Cloud Computing News: Broadcom-VMware, Google-Anthropic, Red Hat, More

February 6, 2023

Industry Perspectives

View all

The Software Patching Problem – Solved

February 3, 2023

How to Break Through the Growth Ceiling

February 1, 2023

5 Things to Look for in a UC Partner

January 31, 2023

Webinars

View all

Next-Generation MSP Platform: The Building Blocks for Your Business

February 15, 2023

The SMB Opportunity: How to Sell and Service the SMB Market, Capture Customers and Expand Your Business

February 23, 2023

How To Boost Your Business With White-Label UCaaS

February 28, 2023

White Papers

View all

6 UCaaS Reseller Challenges and How Real World Businesses Solved Them

February 1, 2023

Frost Radar: North American UCaaS Market, 2022

February 1, 2023

The Complete Guide to White-Label UCaaS for Reseller Success

February 1, 2023

Channel Futures TV

View all

Coffee with Craig and James Episode 117: Cato Networks, Video Killed the Podcast Stars

Retired Astronaut Capt. Scott Kelly Previews His CP Expo Keynote

December 21, 2022

Fusion Connect Eyes Future with Intrado UC, Managed Network Customers

September 23, 2022

RingCentral Focused on Hybrid Work, Microsoft Teams, Other Integrations

September 23, 2022

Twitter

ChannelFutures

.@AbundantIoT is putting more focus on the enterprise, CEO Vince Bradley tells Channel Futures.… twitter.com/i/web/status/1…

February 7, 2023
ChannelFutures

January's #topstories in channel include @Avaya @GTTComm @Broadcom @awscloud @citrix @Salesforce @Datto… twitter.com/i/web/status/1…

February 6, 2023
ChannelFutures

.@Acronis announces #CyberFit partner program updates. dlvr.it/Sj2FZQ https://t.co/z7lRdIRo9R

February 6, 2023
ChannelFutures

More #Avaya trouble: Lawsuit against company by bondholders claims "massive fraud." dlvr.it/Sj2DZT https://t.co/4Q1E7JAXXf

February 6, 2023
ChannelFutures

.@DellTech adds new #APEX delivery options for #delltechnologies partners. dlvr.it/Sj29c6 https://t.co/3qEEYpnOBX

February 6, 2023
ChannelFutures

There are some familiar names in @coxbusiness and @Rapid_Scales recent partner awards. dlvr.it/Sj1zm6 https://t.co/0BuGwBrnvM

February 6, 2023
ChannelFutures

RT @Channel_Expo: We know your mind is on the #BigGame this week, but don't take your eye off the ball! #EarlyBird rates for #CPExpo & #MSP…

February 6, 2023
ChannelFutures

Learn about @bluewavetg's latest deal. dlvr.it/Sj1wrV https://t.co/NCdmJ4OFkf

February 6, 2023

MSP 501

The industry's largest and most comprehensive partner awards program.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X