Researchers have discovered a possible credential stuffing operation whose origins are unknown, but that affected online users who have Spotify accounts. The researchers uncovered an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service.
A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked.
Companies can prevent credential stuffing by adopting advanced security solutions that identify suspicious login, taking action before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as multi-factor authentication (MFA), which can limit an attacker’s chance of hijacking a corporate email address in the first place. All companies should understand that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organisations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.
This is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up to-date with every data breach that is happening. Therefore, organizations should enable their end-users to be as security first and conscious as possible. An easy way for organizations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks like the Spotify end-users experienced
Personally identifiable information and especially decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of the services they use.
It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information.
It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that you will not always be aware of a breach and sometimes you won’t be informed at all.
While this is a key takeaway for end users, there is also something in it for enterprises that process this critical data.
While there is no sure-fire way to prevent attackers from getting access to an enterprise network, there are solutions that protect valuable customer information. Being able to not only protect passwords but also related personal data reduces the risk of misuse of data and resulting reputational damage drastically. Companies should look to deploy data security tactics such as stateless tokenization to protect the privacy of their customers.
This exposure goes to illustrate that criminals don\’t need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users. Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites.
It\’s why it\’s important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use MFA. That way, even if an account is compromised, it won\’t be possible for attackers to use those credentials to breach other accounts.
This is probably the simplest step an organization can take to begin to create a culture of cybersecurity awareness – encourage unique, non-repeatable passwords. Our opponents are very sophisticated; we don’t need to be making it any easier for them than necessary.