Researchers have discovered a possible credential stuffing operation whose origins are unknown, but that affected online users who have Spotify accounts. The researchers uncovered an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service.
Hackers can profit enormously from credentials present in large database leaks such as these. Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services. These automated attacks, also known as Account Takeover (ATO) are growing in size and scope, up 72 percent over the prior year. Businesses need to protect their login pages from ATO attacks using bot management solutions. Users must use strong, unique passwords on each service and use multi-factor authentication where possible.
The one detected at Spotify isn\’t a data breach as such: the attackers just managed to find out that a stolen database (coming from somewhere else) with the combination of Username/Password could be verified against Spotify via credential stuffing
As users very often juggle lazily with the same password for their different online accounts, cybercriminals use Botnets, computer bots, to test thousands of combinations of IDs and passwords on well-known services. To prevent this type of attack, or any Password related attack (brute Force, Password Spraying…etc.), the best solution is implementing multifactor authentication wherever possible.
It’s easy to blame users for poor password hygiene, but the reality is that it’s very difficult to choose a single strong password. Even harder is to do so for every online account they might have and then keep up with them all. Password managers do a great job at alleviating this problem, but the free ones built in to mobile devices or web browsers can present a problem for users if they need to log into an account from a different type of device, for example the built-in Apple Keychain password manager works great on iPhones or Mac computers but not on Microsoft Windows PCs. Third party password managers can solve this problem, but often require a subscription for use. There are a few that offer free tiers as well as open source options such as Bitwarden that offer good solutions.
This is probably the simplest step an organization can take to begin to create a culture of cybersecurity awareness – encourage unique, non-repeatable passwords. Our opponents are very sophisticated; we don’t need to be making it any easier for them than necessary.
This exposure goes to illustrate that criminals don\’t need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users. Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites.
It\’s why it\’s important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use MFA. That way, even if an account is compromised, it won\’t be possible for attackers to use those credentials to breach other accounts.
Personally identifiable information and especially decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of the services they use.
It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information.
It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that you will not always be aware of a breach and sometimes you won’t be informed at all.
While this is a key takeaway for end users, there is also something in it for enterprises that process this critical data.
While there is no sure-fire way to prevent attackers from getting access to an enterprise network, there are solutions that protect valuable customer information. Being able to not only protect passwords but also related personal data reduces the risk of misuse of data and resulting reputational damage drastically. Companies should look to deploy data security tactics such as stateless tokenization to protect the privacy of their customers.
This is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up to-date with every data breach that is happening. Therefore, organizations should enable their end-users to be as security first and conscious as possible. An easy way for organizations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks like the Spotify end-users experienced
A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked.
Companies can prevent credential stuffing by adopting advanced security solutions that identify suspicious login, taking action before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as multi-factor authentication (MFA), which can limit an attacker’s chance of hijacking a corporate email address in the first place. All companies should understand that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organisations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.