eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The cost of a data breach can be crippling, on average costing an organization $3.86 million, according to the Ponemon Institute. Although rarely publicized attackers do not just target Fortune 500 companies. In Verizon’s 2019 Data Breach report, they found that 43% of data breaches involved small businesses as the targets. With such a lofty price tag, a data breach can relegate a business to close its doors and if not, it can cause long lasting reputational damage.

But what about when the breach was not due to a hack?  Various organizations whose customers experienced account compromises in 2019, in fact were not hacked. In the same Verizon report, it was found that 29% of breaches involved the use of stolen credentials. With billions of stolen credentials (usernames and passwords) available online from previous breaches, a high volume of attacks results from automated credential stuffing.

Anytime a massive aggregated leaked password list is made available online, credential stuffing attacks spike. Armed with stolen credentials from mega-breaches, attackers make log-in attempts to access digital services with anonymous bot networks that make traffic look like its originating from different IP addresses and browsers – to fly under the radar.

Credential stuffing is an emerging threat that doesn’t just stop with online services. With the majority of organizations adopting SaaS services to increase productivity and utilizing single sign-on to federate login, no matter where a breach starts it can end up in the corporate network. And once in, attackers work laterally until they can find something to make the effort worthwhile – personal data, financials etc.

Let’s take a look at a few examples of these types of attacks and how attackers exploited compromised accounts upon take over.

Disney+

Shortly after Disney launched the service in November 2019, Disney+ customers were having issues logging into their accounts. Many took to social channels suspecting that Disney+ had been compromised. Ultimately it was uncovered that the service was not hacked but rather, attackers exploited the fact that users reuse credentials to take over accounts using a credential stuffing attack.

By leveraging stolen credentials, attackers were able to gain access to users’ Disney+ accounts. They did not stop there, post gaining access they changed account usernames and passwords effectively locking account owners out. The news went public when attackers started offering Disney+ accounts either for free or for a price tag of $3-$11 per account online.

Dunkin Donuts

February 2019 marked the second credential stuffing attack affecting Dunkin Donuts rewards customers. Attackers used leaked credentials to gain entry to thousands of DD Perks accounts. DD Perks is a loyalty program allowing repeat customers to earn points in order to get free merchandise or discounts. By gaining access to these accounts, attackers obtained loyalty points in addition to the users’ first and last names, emails, 16-digit DD perks account numbers and QR codes.

According to various news outlets the attackers were not after the personal information. Their intent focused on selling the accounts themselves on the Dark Web so buyers can go on to use the stored value. Even so, New York state is suing Dunkin Donuts for failing to disclose the breach and providing appropriate safeguards since it suffered a similar breach in 2015 where thousands of dollars on customers stored value cards were stolen and over 19000 accounts were breached.

Citrix

In March 2019, Citrix announced that it had been breached. Attackers gained access to 6 terabytes of data via a password spraying attack. Similar to credential stuffing, password spraying also exploits stolen credentials but instead of trying a large number of credentials against a single account, it tries a single commonly used password against many.

The attack went undetected for six months during which attackers stole business documents and other files from a shared network drive used to store both current and historical documents. The attackers also targeted a drive associated with a web-based tool (ShareFile) used by Citrix’s consulting practice. This tool used federated single sign-on, which the attackers exploited.

Lessons Learned

Credential stuffing and password spraying attacks are experiencing a high-level of success and organizations are being held accountable. Playing the victim card will not side-step responsibility. In fact, the Federal Trade Commission (FTC) set a mandate for this with TaxSlayer an online tax preparation service that suffered a credential stuffing attack back in 2015.  The FTC cited failure to adhere to the Privacy Rule and the Safeguards Rule of the Gramm–Leach–Bliley Act (GLBA) by failing to conduct a risk assessment that would have identified reasonable and foreseeable internal and external security risks.

Essentially, the FTC is stating that credential stuffing attacks are foreseeable and organizations without the appropriate security measures will be held responsible. Safeguards against these types of attacks exist. Essentially organizations need to start with removing weak passwords by setting a secure password policy that eliminates low hanging fruit such as the use of easily guessable passwords or the use of leaked passwords. Note that implementing a static password blacklist will not protect you indefinitely.

Given that attackers don’t sit still once they’ve taken over an account it is also important to ensure that only the appropriate users are the ones accessing accounts and resetting passwords especially Active Directory self-service password resets.  This is an essential consideration when utilizing federated single sign-on. As such turn on multi-factor authentication to protect online service access and password resets.

Learn how Specops uReset can protect Windows self-service password resets, account unlocks and password changes here.