Have you heard of Continuous Penetration Testing?
This technique is becoming very popular with the rise of data breaches.
It’s tempting to re-use the same password for multiple online accounts. Many of us have done it (it’s OK; this is a safe space). Convenient as it seems, this action puts you at high risk to get hacked via credential stuffing.
This type of attack recycles previously stolen passwords to gain access to a user’s other, unrelated accounts. People using the same password for multiple online logins fuels successful credential-stuffing attacks.
Even if you have a “strong” password, no amount of capital letters and numbers will protect you if it’s used for every account. When password reuse is discovered, it creates an all-access pass for attackers. That means they gain entry into protected accounts full of personal and private information.
The difference between a brute-force attack and credential stuffing is this: brute force attacks make repeated attempts to guess your password, while credential stuffing directly attempts to log in using known stolen credentials from publicly or privately available breaches.
For the sake of example, let’s say a user has an account on ABC.com. One day, a hacker breaches the site.
Fast-forward a couple of months. An online attacker targets a company called Acme Corp., an organization that rarely has users update their passwords. The online attacker gets their hands on a list of Acme employees. They search the ABC.com breach from a few months ago for accounts Acme employees had on ABC.com.
In this process, the hacker finds an email address associated with an ABC.com account. The hacker uses the breach to collect this email address and its associated password. Using this password – under the assumption it’s reused -- the attacker attempts to log in to the organizational email portal.
And ... queue victory music … success. The hacker successfully logs into this user’s account, because they now have valid credentials without having to brute force a login portal.
The deadly trio that allowed this hack to happen:
Beyond gaining access to multiple online logins, hackers can leverage successful credential-stuffing attacks to:
Take the following precautions to protect your users and your organization from credential-stuffing attacks.
Protect your company with Sprocket
When your environment changes, or new threats affect your attack surface, we perform security testing. There is a lot more value from this modern approach to testing.