Canadian Underwriter

Credential stuffing: Canada’s newest cyber threat

April 15, 2019   by Jason Contant

Print this page Share

A new cyber threat called “credential stuffing” is emerging, and Canada is the third-most targeted country in the world, according to a new report.

Credential stuffing is when hackers take a stolen username and password and then run it through different sites to see if they can access information anywhere else. It’s based on the assumption that consumers use the same login and password for multiple services, said a press release last week by Cambridge, Mass.-based Akamai, a secure digital platform creator.

“If I can get your details from one site and use them on another like your Uber account, PayPal or an airline, I can start using your accounts for financial gain,” Lindsey Nelson, international cyber practice leader with specialist insurer CFC Underwriting, said Friday. “While the value of a username or password is limited, it’s how it can be monetized that makes it valuable.”

Akamai’s State of the Internet/Security Volume 5 report noted the company recorded nearly 30 billion credential stuffing attacks in 2018. Each attack represented an attempt by a person or computer to log in to an account with a stolen or generated username and password. The vast majority of these attacks were performed by botnets (groups of computers tasked with various commands) or all-in-one applications that allow an attacker to validate stolen or generated credentials.

The United States was the most targeted country (with just over 4 billion credential stuffing attacks), followed by Russia (over 2.5 billion attacks) and Canada (almost 1.5 billion attacks). Vietnam and India were in fourth and fifth place, with 626 million and 625 million attacks, respectively.

There is a thriving underground marketplace for compromised accounts, with many accounts compromised via credential stuffing will sell for as little as US$3.25, the report noted. Media organizations, gaming companies and the entertainment industry are among the biggest targets of credential stuffing attacks.

In early 2019, an anonymous person published nearly one terabyte of data, amounting to more than 25 billion email address and password combinations. Once the duplicates and unusable entries were removed, there were still billions of combinations available in various places online at the time Akamai’s report was written.

“The impact that credential stuffing criminals can have on businesses is wide-reaching – combination lists like the ones anonymously released earlier this year are just the tip of the iceberg,” the report said. “When a credential stuffing attack is successful, the brand takes a hit to its reputation (even if it isn’t their fault), and faces increased operational costs as incident response, payroll, crisis communications and other associated expenses start to mount.”

While there is greater awareness among businesses, Nelson said, “we’re seeing more incidents and they are easier to commit than ever before. I cannot stress the importance of unique passwords, password managers and multi-factor authentication for online businesses to protect themselves, their customers and ultimately their reputation.”