top of page
David Montague

YOU HAVE BEEN BREACHED: Consumer Credential Stuffing

When a credential stuffer tests multitudes of usernames and passwords and even one is successful - you now have a customer who has suffered a data breach. Your organization, like most, probably has people working hard to make sure hackers don’t breach your internal systems. But do you have a similar level of protection against breaches of your customer accounts? Many organizations think credential stuffing is low risk, or figuratively throw up their hands, citing consumers’ poor password hygiene or third party data breaches as a “there’s nothing we can do” defense. This mindset can cost you reputation, customer confidence, and as we’ve seen recently, severe fines and legal costs.


The $30 million settlement related to a class action lawsuit against 23andMe should serve as a wakeup call to organizations that they can be found financially liable for neglecting to prevent credential stuffing attacks. Most coverage of the event sparking the class action suit refers to the 6.9 million 23andMe customers whose genetic testing and ancestry data was accessed. But this data breach began with credential stuffing attacks using credentials that had been compromised in various prior data breaches - credentials which consumers were reusing with their 23andMe accounts.


There are several key takeaways from this class action suit and settlement. First is the amount of the fine, $30 million, $25 million of which 23andMe believes will be covered by cyber insurance. It is hard to quantify the damages to consumers whose ancestry data was compromised. The defendants in the case argued that because traditionally sought after data, like Social Security numbers, weren’t implicated that the fine should be lower. Organizations need to consider the types of data and sensitivity of the personally identifiable information (PII) they maintain for their user accounts, and the legal or liability risks associated with unauthorized access to the data.


Another key takeaway comes from accusations of the plaintiffs that 23andMe should have done more to protect the accounts. As part of the settlement, 23andMe agreed to mandate Multi-Factor Authentication (MFA) going forward. This may set a precedent that organizations are responsible for protecting user accounts even when those users do not protect themselves, leaving their accounts vulnerable to credential stuffing and account takeover by reusing compromised passwords.


However, MFA isn’t a perfect solution. While MFA does protect accounts against Account Takeover (ATO), the reality is that consumers will not opt-in to using it and there will be significant churn or customer attrition if it is mandated. The bottom line is that consumers don’t want additional friction and neither do companies, because it means lower sales.


Organizations need to consider more passive ways to protect against credential stuffing. Passive protections are the only method available when consumers refuse the friction of MFA, but they should also be used in addition to offering MFA as a way to more strategically and selectively present it. Bad actors know and exploit the fact that consumers tend to reuse passwords. That is why they systematically carry out credential stuffing attacks to identify where else a breached credential pair is used.


myNetWatchman has unique data insights into credential stuffing attacks, as we see credential stuffing on a large scale and across some of the largest web properties. Every year we observe tens of thousands of companies and websites each experiencing thousands of credential stuffing attempts. In just the past 30 days there were over 3,000 companies that were targeted.


Companies need to have a way to detect and stop credential stuffing attacks, and to remediate accounts that are taken over. myNetWatchman offers services to detect that these attacks are occurring and also what accounts are at risk or compromised. Our services can screen a credential whenever it is presented and cross-check against our repository of 30 billion compromised credential pairs to see if any are at risk.


This is the passive protection organizations need to detect credential stuffing and avoid the costly headaches these attacks cause. These costs go beyond potential settlement fees like the $30 million one 23andMe is facing, but also include operational costs, downtime and brand damages. A 2017 study from the Ponemon Institute estimated the annualized cost of credential stuffing attacks to be $6 million on average when just considering prevention, detection and remediation (excluding fraud losses). The average cost of fraud related losses ranges from $500,000 to $54 million, depending on what percentage of accounts suffered a monetary loss as a direct result of the credential stuffing attack. Keep in mind that these numbers would be 29 percent higher if adjusted for cumulative inflation since 2017. Further, these estimates don’t include the harder-to-quantify losses such as brand damage and lost customer lifetime value.


myNetWatchman’s Web Monitoring service alerts clients to on-going credential stuffing attacks so these attacks can be identified and stopped. User accounts implicated in the attack will be identified for remediation. Our AllCreds service focuses on prevention and remediation around credential stuffing, as clients leverage our repository of over 30 billion compromised credential pairs to know when compromised credentials are presented, whether at login, account creation or password change events. Our continuous live attack monitoring adds 15 million new compromised credential pairs each day.


Companies are beginning to learn the hard way that credential stuffing cannot be ignored. Reluctance to use MFA means more needs to be done to passively protect user accounts. While cases as notable as the class action suit and settlement with 23andMe result in losses larger than most will experience with credential stuffing attacks, it should serve as a stark reminder that these are troublesome and costly attacks, and that the precedent has been set that organizations need to do more to protect user accounts from credential stuffing.

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page