It has been reported that clothing giant J.Crew has said an unknown number of customers had their online accounts accessed “by an unauthorised party” almost a year ago, but is only now disclosing the incident. The company said in a filing on Tuesday with the California attorney general that the hacker gained access to the customer accounts in or around April 2019. According to the letter, the hacker obtained information found in the customer’s online account — including card types, the last four digits of card payment numbers, expiration dates, and associated billing addresses. Online accounts also store the customer’s order numbers, shipping confirmation numbers, and shipment statuses.
Credential stuffing is one of the most common types of attacks across the digital ecosystem. Within the NuData network, we see millions of credential stuffing attempts every day. The number of these credential stuffing attempts that have correct username and passwords is low. Still, if they are not detected, these attacks can access those accounts and any sensitive information in them. This seems to be what happened in the latest reported breach. With the potentially-stolen customer data, bad actors can impersonate them online. The good news is that more and more companies are implementing behavioral and passive biometrics security tools to verify users based on their inherent patterns instead of relying on their personally identifiable information. With these technologies, bad actors have a much harder time to use the stolen data from end-users.
We see this every day, an application that doesn’t have protection against rapid credential testing. The attacker generates a list of usernames that work on an application. Once the usernames are known the attackers test large numbers of passwords they have found or created. Eventually the attacker learns the usernames and passwords of several accounts and in the next phase they attack. Both the testing and the attack are noisy but often we find organizations aren’t instrumented to see the testing and attack phases.
The challenge is that this type of vulnerability is often considered low risk because it is up to the user to have a good password, change it regularly, include special characters, etc… In this case its easy to see that even though the user has some responsibility, the system shouldn’t be built in such a way that an attacker can test credentials and later construct and automated attack that isn’t noticed. Attacks against the API of a mobile application often is difficult to see happening because the design of an API normally includes ability to be extremely fast and thousands of transactions per second are possible. Knowing where these types of attacks can occur, instrumenting those endpoints to block automated attacks is the best prevention.
Credential stuffing is one of the most common types of attacks across the digital ecosystem. Within the NuData network, we see millions of credential stuffing attempts every day. The number of these credential stuffing attempts that have correct username and passwords is low. Still, if they are not detected, these attacks can access those accounts and any sensitive information in them.
This seems to be what happened in the latest reported breach. With the potentially-stolen customer data, bad actors can impersonate them online. The good news is that more and more companies are implementing behavioral and passive biometrics security tools to verify users based on their inherent patterns instead of relying on their personally identifiable information. With these technologies, bad actors have a much harder time to use the stolen data from end-users.
For users, there is nothing good about the credential stuffing attack at J. Crew, but there are some useful lessons to be learned.
First, credential stuffing is an attack where previously leaked lists of user names and passwords are used to gain unauthorised access to systems. Knowing this, the best course of action is to practice good password hygiene. Don’t re-use the same password across multiple sites, and make sure you are using strong password that cannot be easily guessed. If your J. Crew password is also in use elsewhere, be certain you update your passwords to avoid future issues with this or other accounts.
The second lesson is that J. Crew did not make a public announcement about the attack until nearly a year later. What other attacks, involving your personal information, might have already occurred without your knowledge? Again, the best protection is good password hygiene. For especially valuable accounts, consider upping the bar with two-factor authentication.