Who are the biggest targets of credential stuffing attacks?

Media organizations, gaming companies, and the entertainment industry are among the biggest targets of credential stuffing attacks, in which malicious actors tap automated tools to use stolen login information to attempt to gain access to user accounts on other online sites, on the assumption that consumers use the same login and password for multiple services.

Three of the largest credential stuffing attacks against streaming services in 2018, ranging in size from 133 million to 200 million attempts, took place shortly after reported data breaches, indicating hackers were likely testing stolen credentials before selling them, says the latest Akamai report.

The attacker use credentials compromised in breaches, but do not limit themselves to those lists.

“In a YouTube video watched by Akamai researchers, an individual walked viewers step-by-step through a tutorial on how to create combination lists to use against the popular online battle royale game,” the report explains.

The report also spotlights easily accessible online video tutorials that provide step-by-step instructions for executing credential stuffing attacks, including using All-in-One applications to validate stolen or generated credentials.

The report lists the United States as the top country of origin for the attacks, followed by Russia and Canada. The U.S. is also the top target, followed by India and Canada.

Previous Akamai research noted that media, gaming and entertainment companies saw 11.6 billion attacks between May and December 2018.

How to prevent attackers from hijacking your accounts?

Stolen credentials can be used for a host of illicit purposes, not the least of which is enabling non-subscribers to view content via pirated streaming accounts.

Compromised accounts are also sold, traded or harvested for various types of personal information, and they are often available for purchase in bulk on the Dark Web, according to Akamai researchers.

“Users need to be educated about credential stuffing attacks, phishing, and other risks that put their account information in jeopardy. Brands should stress the use of unique passwords and password managers to customers and highlight the value of multi-factor authentication,” the researchers noted.

They also advise implementing multi-factor authentication where possible. “When discussing ATOs and AIO scripts, criminals often complain about the use of multi-factor authentication, which is a particularly effective method of stopping most of their attacks,” they pointed out.