American outdoor recreation retailer The North Face has reset the passwords of some of its customers following a credential stuffing attack launched on October 8 and 9.
Credential stuffing is a popular technique used by criminals to compromise user credentials.
It is important that organisations put in place robust security controls to minimise the likelihood of successful credential stuffing attacks by monitoring login attempts and restricting persistent failed logon attempts. In addition, organisations should offer multi-factor authentication (MFA) to users.
From a user perspective, education and awareness is important; in particular to use MFA where it is made available. It\’s also important that users don\’t reuse passwords across various sites which is what makes credential stuffing attacks possible. Using password managers can help greatly in this regard.
Credential stuffing attacks are becoming more and more common, particularly in the retail sector. With the festive season around the corner, we are going to see even more cybersecurity incidents impacting retailers. Mimecast monitoring shows that retail & wholesale has remained the top targeted sector recently, with 1.85 million total malicious detections in October alone.
Huge volumes of data have been compromised in many data breaches, and these pose an increased risk of credential stuffing attacks, where a range accounts may be attacked utilising data from old breaches. If you have used basic passwords for some time for any online accounts, or in particular use the same password for multiple online accounts, this will also significantly increase the risk of compromise even further. Now is a good time to consider refreshing your passwords for any online accounts you use, ensuring they are specific to a site and not easily guessed, and reviewing if new security settings or options have become available to increase your security, such as multi factor authentication. Individuals can take these basic steps now to help prevent any compromise or fraud taking place which might utilise their details.
This is digital socialism, where the service provider has to somewhat inconvenience the many to protect the few who cannot be trusted to keep themselves safe. Essentially credential stuffing attack works when password reuse is in play, meaning those who were affected had already breached basic security advice. It is a good experience to see a vendor choosing to prioritize the security of those few, over the impact this potentially can have to revenue flows as some users may be dissuaded by the password change. Well managed.
Given the vast volume of stolen credentials out there, hackers launch credential stuffing attacks using automated bots. Compromised accounts can give hackers access to personal information, including usernames, passwords, and credit card numbers, which further fuel the cycle of attacks. Automated attacks such as these not only expose businesses to data breaches and compliance penalties but also increase operational costs.
Businesses must protect their consumers’ accounts by requiring multi-factor authentication where possible, for example by requiring biometrics on mobile devices, and by using bot management solutions to stop automated attacks. Consumers must ensure the use of strong passwords by using password managers and by turning on multi-factor authentication on their end as well. They must also continue to monitor their credit report for signs of identity theft.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics