A well-known wedding planner business, Zola, became a victim of a security breach where cybercriminals used credential stuffing to attack customer accounts fraudulently. Instead of targeting Zola's business information and plans, the attackers went after its customers’ accounts.
By accessing compromised accounts, the attackers attempted to purchase gift vouchers.
According to Zola's spokesperson, nearly 3,000 customer accounts (0.1%) got compromised. The customers saw hundreds of dollars worth of monetary gifts or gift cards stolen from their accounts.
Attackers not only purchased gift cards with the compromised accounts, but they also changed the email address on the victim's accounts. The attackers then put these compromised accounts on sale on the dark web.
A few other victims reported fraudulent charges on their credit cards linked with Zola accounts. According to Emily Forrest, Director of communication at Zola, "These hackers likely gained access to those set of exposed credentials on third-party sites and used them to try to log in to Zola and take bad actions. Our team jumped into action immediately to ensure that all couples and guests on Zola are protected…We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked. All cash funds have been restored."
Similarly, the US car manufacturer, General Motors (GM), announced they became the victim of a credential stuffing attack in April. The attackers exposed some customer credentials and redeemed rewards points for gift cards.
What is credential stuffing?
Credential stuffing is a cyberattack wherein the cybercriminals use a compromised list of sensitive credentials such as passwords, email IDs, PINs, etc., of the victim and feed them into an automated bot system to compromise a system or user account.
Since many users reuse their login credentials across various platforms and online services, it becomes easy for cybercriminals to leverage a compromised password from one source and use them in other. Credential stuffing has gained notoriety for two reasons:
Massive leakage of databases containing sensitive credentials (for example, Collection #1-5 has 22 billion usernames and passwords).
The use of sophisticated bot programs performs several login attempts by originating the authentication attempt from different IP addresses.
How to prevent credential stuffing attacks
Credential stuffing can be prevented by taking some simple yet effective security measures:
Have a unique password for every account you create: The easiest solution to minimize the potential of such an attack is by providing unique passwords for each online service. With this, even if the attacker compromises one account, it will not be possible for them to use the credentials to target other accounts. This may seem daunting (how will you ever remember all those passwords!!) but using a
password manager is an easy solution to this challenge.
Password length and complexity: Don't use easy-to-guess passwords. Ideally, you should use 16 to 20 characters with a combination of uppercase, lowercase, digits, and special symbols to create a strong password.
Real-time intelligence, monitoring, and notification system: Apart from robust passwords, enterprises should harness security solutions or build an app that can conduct risk-based authentication and monitor activities in real time. The tool should capture all unusual or automated login attempts from different geolocations, browsers, or IP addresses.
Multi-factor authentication: Employees and customers should leverage multi-factor authentication (MFA) methods. Even if the password gets compromised, attackers must provide a second authentication factor to compromise user accounts, which is very challenging.
Seek expert guidance: To learn more about strengthening passwords, enterprises can seek the expert guidance of cybersecurity experts like Packetlabs.
Credential stuffing is a notorious and widespread method employed by hackers to compromise user accounts. While the onus of ensuring data sanctity rests with enterprises storing information, customers also must take adequate precautions.