If you haven’t heard, the Canada Revenue Agency suffered a data breach last weekend where 5600 personal accounts where targeted in what the government describes as a credential stuffing attack.

What is Credential Stuffing?

Credential stuffing is a technique used to gain access to user accounts by using usernames and passwords that have been obtained from the dark web. There are billions of usernames and passwords for sale that can be used for spam campaigns, phishing attacks and account takeovers like happened with the CRA attack.

Attackers collect large lists of usernames and passwords and use automated tools to essentially try to log in to websites using those credentials. These attacks are easy to execute and have a high success rate because many people reuse their passwords for different websites. Credentials stolen from breaches of other sites such as fitness trackers, or social media sites have a high chance of working on services that hold more sensitive data.

The Economics of Credential Stuffing

The security company Akamai detected 55 billion credential stuffing attacks over a 17-month period from November 2017 to the end of March 2019. Some industries were more heavily targeted than others, such as gaming, retail and media streaming sites. But no industry was immune.

Credential stuffing is a lucrative business for the bad guys. There are online “stores” selling lists of usernames and passwords call combo-lists. A single username and password can sell for $1 to $2. Combo-lists can contain several thousand up to several million accounts. So, the sellers are making a lot of money by the volume of accounts the have for sale.

The average success rate for credential stuffing is anywhere between 1% to 3%. In other words for every 1 million accounts, attackers can potentially compromise between 10,000 to 30,000 accounts. It may not seem like a very high success rate but when you consider the potential money to be earned from an attack it is a very successful exercise. For instance, credentials for an eBay account can be purchased for $3.50 with a potential maximum profit of $3,500. An Amazon account can be purchased for $2.00 with a potential maximum profit of $2,000. These are incredibly high profit margins.

Key Take Aways from the CRA Attack

There are several things we can learn from the CRA attack. Every whose CRA attack was compromised, means that they have other compromised accounts. Their credentials where stolen from another site and is being used in other attacks. These attacks may not take place right away, but the credentials are on combo-lists that are being sold. Further attacks are inevitable. We all have numerous online accounts. Besides your main email and social media accounts, think about all of the accounts you probably have:

  • Loyalty programs for the stores you shop from
  • Online retail stores
  • Online streaming services (Netflix, Disney)
  • Data storage
  • All of the online tools which require registration before you use them

Studies show that the average person has 120 online accounts associated with the same email address, while the average business user handles around 191 accounts on average.

As an internet user what can I do to be more secure?

  1. Use a password manager

A password manager will generate a random password for each of your accounts and store them in an encrypted database so you don’t have to remember all your passwords, you only need to remember the password for the password manager.

2. Be proactive

The second thing we can do is be proactive in seeing if we have compromised accounts. Check out https://haveibeenpwned.com a free breach notification service run by security researcher Troy Hunt. The site tracks over 8.5 billion compromised credentials. Enter your email address and the service will tell you if the account was stolen and for sale on the dark web. If you do have accounts listed, immediately change your password on that account.

3. Use two-factor or multi-factor authentication

Two-factor authentication will make it more difficult for cybercriminals to breach your digital accounts. Because credential stuffing uses automated tools, two-factor authentication will stop a high number of attacks. The cybercriminals are lazy, so enhance your security where you can make it harder for them. If it’s too hard to compromise your account, they will move on to another one that is easier.

What can I do as a business owner?

As a business owner, there are security measures you can put in place.

  1. Enable 2-Factor or Multi-Factor Authentication

If you have the capability with the online services you use, enable 2-factor for your customers and users.

2. Install Wordfence

Credential stuffing is most often detected when there are too many login attempts happening in a given period of time. If your website uses WordPress, you should install the security plugin Wordfence. This plugin can block an IP address or a range of IP addresses when there are too many unsuccessful login attempts.

3. Enforce Strong Passwords

Make sure your website requires stronger passwords, such as long randomized sequences of letters, case and symbols.

You may not have been directly affected by the CRA attack, but you should use it as a reminder to bolster your own security practices, both as a consumer and a business owner.