Security News > 2022 > January > 1.1M Compromised Accounts Found at 17 Major Companies

There have been more than 1.1 million online accounts compromised in a series of credential-stuffing attacks against 17 different companies, according to a New York State investigation.

Credential-stuffing attacks, such as last year's attack on Spotify, use automated scripts to try high volumes of usernames and password combinations against online accounts in an effort to take them over.

Once in, cybercriminals can use the compromised accounts for various purposes: As a pivot point to penetrate deeper into a victim's machine and network; to drain accounts of sensitive information; and if it's an email account, they can impersonate the victim for attacks on others.

Such attacks are often successful thanks to password reuse and the use of common/easy-to-guess passwords, like "123456." And they're costly: The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customer, and increased IT costs.

"With over 8.4 billion passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point and easy attack vector for cybercriminals to target various online sites that utilize accounts for their customers," said James McQuiggan, security awareness advocate at KnowBe4, via email.

"The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps," according to a Wednesday media statement.

News URL

https://threatpost.com/compromised-accounts-17-major-companies/177417/