searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Help Net Security
Help Net Security
April 12, 2019
Share

Who are the biggest targets of credential stuffing attacks?

Media organizations, gaming companies, and the entertainment industry are among the biggest targets of credential stuffing attacks, in which malicious actors tap automated tools to use stolen login information to attempt to gain access to user accounts on other online sites, on the assumption that consumers use the same login and password for multiple services.

targets credential stuffing attacks

Three of the largest credential stuffing attacks against streaming services in 2018, ranging in size from 133 million to 200 million attempts, took place shortly after reported data breaches, indicating hackers were likely testing stolen credentials before selling them, says the latest Akamai report.

The attacker use credentials compromised in breaches, but do not limit themselves to those lists.

“In a YouTube video watched by Akamai researchers, an individual walked viewers step-by-step through a tutorial on how to create combination lists to use against the popular online battle royale game,” the report explains.

The report also spotlights easily accessible online video tutorials that provide step-by-step instructions for executing credential stuffing attacks, including using All-in-One applications to validate stolen or generated credentials.

The report lists the United States as the top country of origin for the attacks, followed by Russia and Canada. The U.S. is also the top target, followed by India and Canada.

Previous Akamai research noted that media, gaming and entertainment companies saw 11.6 billion attacks between May and December 2018.

How to prevent attackers from hijacking your accounts?

Stolen credentials can be used for a host of illicit purposes, not the least of which is enabling non-subscribers to view content via pirated streaming accounts.

Compromised accounts are also sold, traded or harvested for various types of personal information, and they are often available for purchase in bulk on the Dark Web, according to Akamai researchers.

“Users need to be educated about credential stuffing attacks, phishing, and other risks that put their account information in jeopardy. Brands should stress the use of unique passwords and password managers to customers and highlight the value of multi-factor authentication,” the researchers noted.

They also advise implementing multi-factor authentication where possible. “When discussing ATOs and AIO scripts, criminals often complain about the use of multi-factor authentication, which is a particularly effective method of stopping most of their attacks,” they pointed out.




More about
  • account hijacking
  • Akamai
  • attack
  • credentials
  • MFA
  • passwords
Share this

Featured news

  • VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972)
  • Many security engineers are already one foot out the door. Why?
  • Fix your IT weak spots to guarantee compliance
Easily migrate to the cloud with CIS Hardened Images

What's new

Week in review: VMware critical fixes, Bluetooth LE flaw unlocks cars, Kali Linux 2022.2

Record level of bad bot traffic contributing to rise of online fraud

New infosec products of the week: May 20, 2022

Two business-grade Netgear VPN routers have security vulnerabilities that can’t be fixed

Don't miss

Two business-grade Netgear VPN routers have security vulnerabilities that can’t be fixed

How to ensure that the smart home doesn’t jeopardize data privacy?

U.S. DOJ will no longer prosecute good-faith security researchers under CFAA

VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972)

Many security engineers are already one foot out the door. Why?

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • Data centers on steel wheels: Can we trust the safety of the railway infrastructure?
  • Good end user passwords begin with a well-enforced password policy
  • Keep your digital banking safe: Tips for consumers and banks
  • Is cybersecurity talent shortage a myth?

(IN)SECURE Magazine ISSUE 71 (March 2022)

  • Why security strategies need a new perspective
  • The evolution of security analytics
  • Open-source code: How to stay secure while moving fast
Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise