The PowerSchool data leak, as detailed in the Infosecurity Magazine article , serves as a stark reminder of the critical importance of protecting user credentials by implementing a service to check users username and passwords to see if they are known to be compromised and enforcing a strong password change policy. Here's what happened and how credential security--or lack thereof--was the real culprit. The Breach: Hackers gained access to PowerSchool's system, likely through stolen credentials, exploiting a vulnerability in the PowerSource support portal. This highlights a common attack vector: compromised credentials. Weak passwords, phishing scams, or credential reuse across platforms can grant unauthorized access to sensitive data. Why Protecting Credentials Matters: They are the First Line of Defense : Usernames and passwords are the frontline defense against unauthorized access. Strong, unique credentials make it significantly more difficult for attackers to break in. And in this case, username and password could have been required to be updated and monitored for security. Stolen Credentials Can Have Far-Reaching Impacts : In PowerSchool's case, compromised credentials led to the exposure of millions of students' and educators' personal data. This can have serious consequences, including identity theft, financial fraud, and even emotional distress. However, the damage goes beyond that when we consider that most often, a stolen credential is used to get into other accounts the user has online, for example where the user has reused the same credentials at banks, e-retailers, airlines or anywhere they have done business. Compromised Credentials Can Lead to Lateral Movement : Once attackers gain access with stolen credentials, they can move laterally within a system, potentially accessing even more sensitive data. According to the 2024 Data Breach Report from the Identity Theft Resource Center, Education has been in the top five industries targeted by cybercriminals for the past two years. Lessons Learned: PowerSchool could have avoided this breach, or at least minimized its impact, by following the four steps below. Assess - PowerSchool could have found weaknesses in their system with a simple credential pentest, highlighting areas that needed additional attention for proper security. Detect - By deploying tools that constantly screen credentials for weaknesses, compromised users would have been identified before they caused a problem. Prevent - Once identified, users should have been required to update compromised credentials, usernames and passwords, for the best protection against infiltration of the PowerSchool system. Respond - Lastly, after a breach is confirmed, limiting exposure and liability is key. Comparing the breached data to data that has been actively used points where to focus efforts of containment and limiting damage. The PowerSchool incident exemplifies the critical need for robust credential security practices. By following the outlined steps above, organizations like PowerSchool can significantly reduce the risk of data breaches and protect the sensitive information of staff and consumers entrusted to them. Learn more about MFA Learn more about credential monitoring What would we do? myNetWatchman has a full suite of products that manage every stage of an organization's security needs from assessing weaknesses in ATO security, to detecting and preventing ATO events and breach response. See more at our website www.mynetwatchman.tech. However, since the breach happened, a proper response is necessary to remediate the impact of the breach. Compare the breached data against our repository of 35 billion compromised credentials to see if we have already seen some activity using compromised credentials. Determine whether the credentials have been used by bad actors previously Determine which credentials are actively being used/tested, contact those users and have them take steps to secure their credentials. Require usernames and passwords to be updated.

The old practice of a canary in a coal mine served as an early warning system, detecting harmful gases before they claimed lives. Similarly, active web monitoring can be a digital canary, alerting businesses to potential threats before they escalate into full-blown account takeovers. Credential stuffing, a common cyberattack, leverages stolen credentials to gain unauthorized access to accounts. It's akin to a thief trying multiple keys on a set of doors. If successful, attackers can wreak havoc, from stealing sensitive data to fraudulent transactions. - David Montague, CEO MyNetWatchman Common fraud prevention tools, such as bot detection or IP blocking, are essential first lines of defense, allowing you to “blunt” an attack. However, they can lead to a false sense of security because it can be difficult to tell when an attack occurred, unless you are watching, and they won’t tell you what accounts were targeted or successfully compromised. An active web monitoring service is a crucial second line of defense, alerting you to ongoing attacks and compromised accounts. For example, we recently saw a company attacked, where millions of accounts were targeted for account takeover and over 1500 were successfully compromised. The attack occurred over the period of a week and while the company was able to stop the scaled credential stuffing attack, we could see from our data they weren’t aware of the 1500 accounts the bad actor compromised out of the 8 million attempts. We have found that bot prevention and IP blocking security tools may reduce the size of most attacks, but they don’t really prevent all attack activity from an adversary; they can still hit you with smaller scale attacks and other forms of attacks. Active web monitoring service is like a digital canary, constantly testing the environment and sounding the alarm when a compromised identity is detected. You may need active web monitoring if: You rely on existing bot detection solutions : While your current tools may be effective, they might not be able to detect all types of attacks or on what accounts were compromised. You're experiencing account takeovers : If you're still facing account takeover issues, web monitoring can help identify the root cause and implement additional safeguards. You need to assess the effectiveness of your security measures : Web monitoring can provide valuable insights into the performance of your security tools and identify areas of weakness that you weren’t aware of. With active web monitoring, you can proactively detect compromised PII, credential pairs, and mitigate these threats. Add it to enhance your security detection plan to cover: Real-time Monitoring : Continuously monitor for suspicious activity, such as unusual login patterns or unauthorized access attempts. Behavioral Analytics : Analyze user behavior to identify anomalies that may indicate a compromise. Threat Intelligence : Stay informed about emerging threats and vulnerabilities to proactively protect your systems. Prompt Response : Have a well-defined incident response plan to quickly address security breaches. Active web monitoring is not a complex development effort, for most clients, it is minimum effort. In many scenarios there is no development and straightforward implementation - up and running in 24 hours or less. When you really need to know, web monitoring tools provide the ease of mind in knowing you can see issues before your customers, or worse the press, tell you about them. By acting as a digital canary, active web monitoring tools can significantly reduce the number of surprises from accounts being taken over and protect your business from financial loss, reputational damage, and legal liabilities. For more information and real-world cases using active web monitoring, click the links below. MNW Case Study - Customer M - 10% of successful credentials were successful previously at other locations Post - Anatomy of Email Compromise - myNetWatchman investigated the case of a Yahoo.com email account that was compromised and accessed by bad actors nearly each day over a 3-month period

Credential stuffing is still a popular cybercrime. What is it and what makes it so popular? What is it? Credential stuffing (AKA “cred stuffing”) is a type of cyber attack in which username and password pairs (“credentials” or “creds”) obtained from one source are attempted against other sites and systems. Criminal actors, sometimes referred to as Cred stuffers, use automation to test large numbers of known credentials against various target systems, typically done systematically with credential testing tools that include proxies and bots. The goal of the cred stuffer is to find valid credentials - ones that can successfully access the target system. Why does it work? Credential stuffing works because people use the same username and password combinations on multiple sites. A valid credential at one site is likely to be valid at one or more other sites. Cred stuffing is effective because it is relatively easy to deploy on a large scale and can be difficult for targeted organizations to detect. It can appear to be a temporary distributed denial of service (DDoS) attack. Cred stuffing attacks leverage botnets and automation tools to include “IP hopping” capabilities, making the attack harder to detect because the traffic comes from multiple sources. Most companies don’t make use of fraud detection tools at login and won’t make a connection that a cred stuffing testing event is “bad” unless it ends up in a loss event or Account Takeover (ATO) for them . “ While DDoS attacks may persist for reasons that defy logic, stuffing attacks only persist for one reason: Because they are successful at monetizing validated credentials with an acceptably low corresponding effort.” Lawrence Baldwin, CIO myNetWatchman   Why do criminals do it? The short answer is because it's profitable. Credential stuffing attacks are successful at monetizing validated credentials with an exceptionally low corresponding effort . Low input costs  - Creds are cheap and readily available on the dark web from data breaches, phishing attacks, or keylogging malware. The supply of creds is literally in the billions. Additionally, cred stuffing automation tools are available for criminals who don’t want to create their own . A lot can be done with little effort  - An automation or bot can run thousands or millions of credentials in a relatively short amount of time. Some criminals also automate password iterations, like adding digits to the end of a current password to generate additional passwords. Think your site is protected by that password policy that forces a number? A cred stuffing bot can be designed to append a “1” at the end of each known compromised text-only password, for example . Easy to monetize  - The cred stuffer can use the successful credentials themselves to commit various types of ATO related fraud, like siphoning stored value, stealing other user data, fraudulent purchasing, funds transfer, etc. Cred stuffing increases the value of the inexpensive creds they purchased on the dark web. Or they can act as a middleman, simply selling the successful credentials to other criminals at a higher price for the guarantee of success .   “The main reason cred stuffing works is because people use the same username and password on multiple sites. A valid credential at one site is highly likely to be valid at another site.” Lawrence Baldwin, CIO myNetWatchman   Even though the success rate of credential stuffing is low (typically less than 1%), the low entry costs, high volume of playable credentials, and high usefulness of a valid credential make the effort worthwhile. Think of cred stuffing as a way to add value to a massive data set of stolen creds by providing a smaller set of stolen creds that are active and knowing where to use them . Organizations should be looking for credential stuffing attacks to keep accounts safe and limit damage from potential ATO. myNetWatchman’s web monitoring service alerts companies when live credential testing is being seen live on their site, not just notifying them that it is happening but specifying what accounts are being impacted. This is valuable and actionable information about credentials that are being presented in real-time, not just credentials known to have been compromised in a breach . In the small client case study below, you can see criminal tactics and that credential re-use by individuals helps criminals. Identifying Credential Stuffing Many organizations don’t realize credential stuffing is an issue because they don’t recognize that it’s occurring. Symptoms include a high volume of unsuccessful login attempts, a large number of successful logins followed by no subsequent activity, as well as tumbling and swapping attempts. Tumbling involves slight variations to the password on subsequent login attempts, such as trying “Qwerty1”, “Qwerty123” and other variations after the compromised password “Qwerty” did not work . A high volume of successful logins followed by no further activity is likely to stay under the radar for most organizations, but it is indicative of a criminal actor testing credentials to sell on the dark web to others. Similarly, an organization might see a series of actions taken after the login attempt, such as going to the user profile or edit user details page to scrape other information that may be included there, such as name, phone number and physical address . Organizations should not just assume that credential stuffing is not occurring if they haven’t actively looked for signs of it occurring. Even if actively looking, these signs can be difficult to uncover. It is critical to know when credential stuffing is happening and on what accounts. Organizations who do not have detection or mitigation strategies in place should consider a cybercredential assessment   Stuffing is costly to the targets Credential stuffing can harm organizations with direct financial losses through fraudulent transactions, theft of intellectual property, or ransom demands for stolen data. The brand risks and loss of customer lifetime value associated with account takeover that results from cred stuffing is difficult to quantify, but undoubtedly large. There are likely other indirect costs associated with incident response, legal fees, and regulatory fines. “The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs .”   Business guide for credential-stuffing attacks | New York State Attorney General Users whose valid credentials were obtained through stuffing can suffer in many ways from account takeover (ATO). Depending on the account taken over, criminals can steal stored-value or gift cards, commit identity theft with stolen personal information, or create fraudulent transactions of all types. Consumers may also lose confidence in the provider because of the frustration of dealing with ATO, or blaming the provider for poor security practices . Mitigating credential stuffing attacks is a way to protect consumers against themselves and their tendency to reuse creds across multiple sites. Consumers tend to conflate the issues or are unaware of the breach that compromised their creds initially, instead focusing that blame on the account or organization that allowed unauthorized access to their account .

Proven Fraud and Security Executive David Montague to Succeed Lawrence Baldwin as CEO. myNetWatchman today announced the appointment of David Montague as myNetwatchman’s CEO, effective as of May 1, 2024. Mr. Montague will succeed Lawrence Baldwin, who has served as the Company’s CEO since its formation in 2001. Mr. Baldwin founded the company and will continue to be at the company as the Chief Innovation Officer working closely with Mr. Montague to ensure a smooth transition. Mr. Montague is a risk and security executive and GM with highly specialized skills in eCommerce, fintech, payments, fraud, risk and security. His skills have been leveraged into executive positions at leading technology companies like Amazon, Expedia, IBM and consulting firms like The Fraud Practice Inc. A true technology leader, David blends business acumen, empathy and technical expertise to solve the toughest challenges facing enterprises today. From growth in the age of heavy and steady cybercrime, explosive enterprise application deployments through to accelerated digital transformation. “David Montague is an executive that brings a wealth of knowledge on the fraud and security industry and he has a track record for helping emerging fraud companies to become growth companies,” said Lawrence Baldwin, Founder myNetWatchman. “I am truly honored to have the opportunity to lead myNetWatchman as we build on the foundations established by Lawrence, Jen, Rob, the leadership team, and our workforce. I see tremendous opportunity for myNetWatchman as companies are starving for more effective and customer friendly approaches to confirm identity (email, credit card, username & password) and user credentials aren't compromised. I believe this need will only grow as bad actors make more use of ATO and synthetic identities in their attacks. I will work to grow the company by introducing products that make use of the company's unique ability to see into live bad actor traffic to become the markets leader in being able to say if these key identity attributes are compromised or synthetic. " David Montague, CEO myNetWatchman Mr. Baldwin continued, “On behalf of the company, I would like to welcome David, and I look forward to working with him.” About myNetWatchman Georgia based myNetWatchman has been providing cyber fraud intelligence data for more than 20 years to retailers, financial services, insurance, and other industries. With over 10 years of live data surveillance, the company manages a continuously growing data repository containing over 30 billion exposed credential pairs and protects over 550 million users for their clients.

At myNetWatchman, we see millions of email account compromises each year. Email account takeover is a dangerous starting point for further attacks such as takeover of other accounts that are using that email address as contact information, highly targeted phishing campaigns, or access to sensitive information to use later for ransom or exploitation. One of the aspects that makes email account takeover especially troublesome is that fraudsters can delete incoming emails, such as those confirming purchases or password changes, as they access other accounts associated with the compromised email. In short, an email account is the key to a consumer’s digital castle . Organizations unable to see signs that a user account’s email address may be compromised are missing out on an extremely valuable high risk signal. Businesses that use the email address as a point of contact, and especially businesses that use the email address as a method for completing 2FA, need to be aware when a user’s email address has been taken over. This renders 2FA relying on the email address insecure and is also a strong risk signal to consider when a user account attempts to change their password or other account details. Through our proprietary real-time data observations and analytics, myNetWatchman investigated the case of a Yahoo.com email account that was compromised and accessed by bad actors nearly each day over a 3-month period. During that time, over 4,000 email messages were retrieved from the inbox while the bad actor(s) performed inbox searches of 1,800 keywords. These keyword searches were telling in terms of what the bad actor was attempting to accomplish. This included searches on keywords such as: Bitcoin, Ethereum and other cryptocurrencies – These searches could unveil what trading platforms or services the email account holder uses to hold digital assets. This could lead to highly targeted phishing campaigns mimicking the platform the consumer utilizes. These same crypto trading platforms could also be targeted with credential stuffing or ATO attacks, in hopes that this compromised email address is a method used for completing two-factor authentication (2FA). PayPal and common bank names – Knowing what financial institutions and financial services companies a consumer uses enables the bad actor to craft highly targeted phishing attempts. If the bad actor sees emails with one-time passcodes for completing 2FA, the services sending these codes will also be targeted with ATO. Gift Cards and Virtual Gift Cards – often virtual gift card numbers are provided in plain text emails. Fraudsters can easily check the balances on these gift cards and spend them before the consumer does. Shipment tracking – Shipment hijacking is a common scheme where fraudsters attempt to reroute or change the delivery address on a shipment. High value or easily resold consumer products are prime targets. Loyalty programs and rewards points – Loyalty program fraud is a growing issue and something bad actors can pull off with relative ease once they take over a consumer’s account with a rewards point balance. They spend, transfer or claim the reward points balance, draining the customer’s account, resulting in frustration and brand damage. myNetWatchman’s Email Reputation service allows organizations to identify when a user’s email account has been, or is actively being, accessed by criminals. With Email Reputation an organization can get as much detail as they need for their risk decision or investigation: aggregated counts of how many different place we see bad actors testing or using the email names of the sites where it is being tested or used, if it was successful, and the dates the email was first and last seen we can share with you what the bad actor was searching for in the compromised email account Knowing if an email is compromised is a valuable signal if an organization sees account changes attempted, especially changing the username, contact email or login password. If an organization relies on email-based 2FA, then this risk signal is vital. Utilizing this as a valuable high risk signal further extends to purchase and transaction events, such as using a stored billing instrument to purchase and ship a product to a never-before-seen address. As email accounts serve as a consumer’s keys to their digital castle, understanding risk around email compromise is paramount for all organizations who leverage access to that email account as a means of verification.

Login processes can make or break a user experience. Excessive reliance on multi-factor authentication (MFA) often deters users from returning to a site more often. You may have experienced the frustration when logging in to an account, your cable or streaming provider, for example. You complete the MFA to sign in, then navigate to view your billing statement and get presented with MFA again, even though you’re still on your provider's platform. Or if you’re a frequent online shopper, you may find yourself getting asked for MFA multiple times a week (or day!) and wondering if it is worth the hassle. You’re not alone - according to a 2021 PingIdentity survey , 56% of global consumers—and 61% of U.S. consumers—would stop using an online service if the login process became too frustrating. Worse, 65% of U.S. consumers would switch to a competitor offering easier authentication. Businesses aren’t immune to these frustrations. Employers frequently prioritize account security over user experience, assuming that a few extra seconds of MFA are negligible. But when multiplied across daily logins for hundreds or thousands of employees, this “minor” inconvenience can result in significant productivity losses and increased support costs for help desks with minimal impact on reducing security risk. MFA Exhaustion Step-up authentication methods like one-time passcodes (OTPs), mobile notifications, captchas, and security questions introduce friction that annoy users and damage the users' experience going forward. Delays in receiving codes, forgotten answers to security questions, or the need to fetch a mobile device can derail the login process entirely. And while hardware authentication tokens offer strong security, they’re impractical for many scenarios. Yet abandoning MFA isn’t the answer either. Relying solely on passwords exposes accounts to takeovers, leading to financial losses and reputational damage. We all know more isn’t always better. Sometimes better is just better. Striking a balance between security and usability is essential. MFA is a powerful tool, as is having a strong password policy. But using MFA everywhere all the time or requiring frequent password changes just leads to annoyed users. (For an in-depth discussion of MFA, read our paper or watch our webinar “There is no Silver Bullet: User Credentials are not Secured with 2FA Alone.”) The Solution: Focus on “risk based” authentication controls Organizations can no longer afford to see authentication as an all-or-nothing choice. Tools like AllCreds enable them to embrace risk-based authentication, protecting user accounts without alienating their users. By strategically applying friction only when necessary, businesses can enhance security, boost productivity, and create a login experience that works for everyone. In the battle of security versus user experience, the winner doesn’t have to be one or the other—it can be both. AllCreds takes a smarter approach by introducing friction only when it’s necessary. Powered by a vast database of over 30 billion compromised credential pairs, AllCreds detects when a user’s login credentials have been compromised elsewhere. This signals an elevated risk and justifies additional security measures like one-time passwords, security questions, other MFA approaches—but only in those instances. Here’s how it works: Behind-the-Scenes Protection : AllCreds operates invisibly, allowing most users to log in without interruption. Real-Time Risk Detection : Each day, 15 million new compromised credentials are added to AllCreds’ repository, ensuring up-to-date protection. Beyond Login Events : AllCreds can also flag compromised credentials during account creation or password changes, proactively mitigating risks. Why It Matters By tailoring authentication requirements to the risk level, AllCreds ensures that low-risk users enjoy a frictionless experience while high-risk scenarios are met with appropriate security measures. This balanced approach not only safeguards sensitive information but also improves user satisfaction and reduces churn.

Deciding on your strategy for protecting your company from account takeover (ATO) begins with deciding whether to rely more on prevention or remediation. Prevention maximizes your opportunity to avoid loss, brand reputation risk and customer loss but it also comes with a higher cost to implement and more friction for your customers or employees when they are really more focused on purchasing or productivity. Remediation can allow you to reduce your cost to implement along with the number of people who experience heavy security friction, but it comes with more risk of bad actors getting through and more likely than not some bad customer experience. Balancing both is a viable solution, based on your company’s product and client mix combined with your go to market strategy. The case for remediation: Focusing on remediation can mean that you’re limiting customer disruption to only those who are victims of ATO. If you have a very low likelihood of customers being targeted for ATO, a remediation-based strategy can save you the expense and effort of trying to prevent something that is unlikely to occur (low ATO frequency). Similarly, if you have very low potential loss or liability from an ATO, you can save the effort and cost of prevention (low ATO impact). Whether ATO risk is low because of low frequency or low impact, a focus on remediation not only saves on cost, but also provides a better user experience as users can avoid the friction caused by most forms of prevention. Drawbacks of a remediation-only approach: ATO can be very difficult to detect until there is an obvious loss, e.g., a customer reports a purchase they didn’t initiate. If you can’t detect the ATO until there’s a loss, bad actors with access to your systems may be stealing information (e.g., private customer details) over an extended period of time in order to commit more serious fraud, like identity theft. Customer satisfaction and your business reputation are at higher risk - we all know that unhappy customers are more likely to speak publicly than happy customers. Every ATO event is a threat to brand reputation. The case for prevention: Focusing on prevention limits the number of successful ATO events, maintaining strong brand reputation and trust among customers. Preventing ATO limits your exposure - whether that is to direct loss like refunds or chargebacks, or indirect loss of proprietary information. By definition, prevention is proactive - putting you in control of when and where to apply the preventative measures. Drawbacks of a prevention-only approach: Focusing on prevention means more users will face friction, and this will often be legitimate users at legitimate login attempts. Some prevention measures can be very difficult to implement accurately; e.g., device recognition, IP address geolocation, and user behavior pattern recognition need sophisticated technology. For workplace accounts, more friction means reduced efficiency. For consumer accounts, more friction can lead to lower sales conversion, or reduced use/access of service. Balancing your identity solution is the ultimate way to prevent bad actors from harming your business or your employees. Consider the risk of an ATO (likelihood and impact) versus the risks that come with prevention (cost and user friction). You need to weigh the factors and find the solutions that are right for your business. At myNetWatchman we have solutions for both prevention and remediation, enabling our clients to support whichever is the right mix for them. For prevention, we offer AllCreds , our credential screening service leveraging our repository of over 30 billion compromised credential pairs. This screening occurs behind the scenes and presents no friction to users, unless the use of a compromised credential pair is detected and you choose to apply multifactor authentication (MFA) or other forms of friction. You strategically apply the friction that comes with stronger forms of prevention. For remediation, we offer Web Monitoring and Email Reputation services. myNetWatchman’s Web Monitoring service monitors the web domains, email addresses, usernames, or credit card BINs (for card issuers) our clients request to have monitored so we can detect when the organization is being targeted with credential stuffing attacks via web, APIs, a portal, login page or elsewhere. Earlier detection leads to earlier remediation and less time for the bad actor to cause financial and brand damage. Email Reputation tells you if bad actors have access to an email inbox, a common point of communication for executing password resets as part of the remediation and account recovery process. myNetWatchman’s Email Reputation service makes the remediation and recovery process more secure by alerting clients when they may be sending the new password or account recovery link right into the hands of a bad actor.

The holiday season is upon us and we know that along with the increase in shopping, celebrating, and well-wishing there is also, unfortunately, an increase in fraud this time of year. Retailers are especially hard hit as fraudsters try to “get lost in the crowd” and have their activities go unnoticed amid the volume of account logins, new account openings, shipping address changes, password resets, etc. that a retailer has to deal with. We know identifying account take over can be tough, and getting it wrong this time of year can cost you a customer long term. We also know companies are relying heavily on email to “authenticate” their customer’s activity. As a matter of fact, for the past few years, we’ve seen about 30% more criminal activity in November - January versus summer months (June - August). myNetWatchman has a service to identify compromised emails and accounts and to celebrate the upcoming launch of our Email Reputation portal in Q1 2025 we have a limited time offer for companies to get a portal account to use for the 2024 holiday season. For $500.00 you can get a single user account from now through January 31, 2025. You'll get: No commitment - you’ll be charged the low introductory cost just once. When the special ends on January 31, you can let us know if you want to upgrade to a subscription. You are limited to one user but you get unlimited use - check as many email addresses as you want, as many times as you want until this special ends January 31 Full scan of our repository of 30+ billion known breached credentials for every address you input Comprehensive summary of what we’ve seen criminals doing with the email address 90 days of history showing where a criminal tried the address, and whether or not they were successful For compromised emails we can even tell you what the bad actor searched for in the email.

Email accounts are highly valued and sought after targets for bad actors and myNetWatchman data shows it. Over the past 30 days, live data monitoring shows a daily average of 7.5 million illegitimate login attempts to access an email account, targeting an average of 2.5 million unique mailboxes each day. Access to an email account is valuable to fraudsters as it is a launching point for a multitude of other attacks. In Anatomy of Email Compromise we talked about what we see bad actors do once they’ve gained access to an email account. Today we are discussing the methods we observe bad actors using to gain and maintain email account access. Email accounts are particularly vulnerable when considering the confluence of these two factors: Consumers often reuse not only passwords, but credential pairs (a password and username/email used in combination). Billions of credential pairs have been compromised in data breaches. This makes it quite easy for bad actors to simply attempt accessing email accounts by using the email and password combination compromised in any data breach. Techniques bad actors use to gain access to an email account Credential Stuffing involves attempting credential pairs compromised in one or multiple data breaches against login pages of organizations unaffiliated with the data breach where the credential pair was compromised. Often, credential stuffing attacks target a large list of organizations where a consumer may have created a user account with the same credential pair. This a high-volume attack, typically executed by bots, with a low percentage rate of success. However, even a success rate of less than one percent on millions of attempts is fruitful. Credential stuffing attacks against email accounts take a more targeted approach. Many organizations have users create accounts and login with an email address rather than a username, so when a credential pair compromised anywhere includes an email address, that tells bad actors exactly where to attempt Account Takeover (ATO) against the email inbox – they just look at the email domain. When a bad actor knows a username that is not an email, they will often attempt the username as the email address root. For example, the username Bob123 would lead to ATO attempts against Bob123@gmail.com, Bob123@outlook.com, and so on. Phishing is a form of social engineering using manipulation and deception to get the victim to do what the attacker wants, whether that is clicking a link, downloading a malicious file or giving away information. Phishing generally refers to these social engineering attempts via email, while variations like SMiShing (SMS text message-based) and Vishing (voice-based phishing, via phone calls or voicemails) employ the same tactics via different delivery methods. These typically attempt to create a sense of urgency such as saying a transaction was made or an account is being shut down. These can be very convincing and mimic real brands or organizations the victim patronizes. If the victim clicks a link or downloads a file, it may be spyware that captures credentials they enter on their device. A link may instead go to what looks like a real login page, but in reality the victim is providing their login details directly to the bad actors. Spear Phishing is an advanced form of phishing where the attacker targets a specific individual within an organization. The attacker will research the target via public information, social media and more. Targeted phishing emails will purport to be from someone the target knows and the content of the email will be plausible. They may go as far as to simultaneously coordinate a SIM swap attack, ATO of their phone number, to receive authentication codes to and get around two-factor authentication. Maintaining access to an email account Because a victim’s mailbox is so valuable and useful to a bad actor, they will spend the (relatively low) effort to keep access to the mailbox. Mainly this entails deleting anything that comes into the inbox intended to tip the true accountholder off that their email may have been accessed by someone else. This includes email notifications of a login attempt or successful login from a new device, location or IP address. The bad actor can easily delete this from not only the Inbox, but the Trash folder as well. myNetWatchman data shows that these techniques work to maintain access to the account. To test this, myNetWatchman took a random sample of 100,000 email accounts known to be recently accessed by bad actors, and could see that 30 percent of them had been compromised for more than 2 years. Email Reputation can tell organizations if an email address is being targeted by credential stuffers, and to what extent. This information helps organizations better understand risk, and act accordingly, at the login and account creation events. Email Reputation not only tells whether a given email address is being targeted by bad actors, but also: How many different passwords have been attempted in tandem with this email Against how many different sites this email has been attempted How many credential stuffing attacks against this email have been successful (provided the correct password) The timeframe of these attempts If the email inbox was accessed by a bad actor, when and for how long or how recently What the bad actor is searching for in the mailbox, shedding light on what they are likely to target next There are many actions consumers can take to better protect themselves against email ATO and it starts with using unique and secure passwords. If a consumer is using a shared password, they should assume that password has been compromised with one of the accounts that use it. The best way consumers can fight back against credential stuffing is to ensure that when any account they hold is associated with a data breach, that compromised password cannot be used against them elsewhere. It would be great if all consumers took the measures to protect their accounts themselves, but we won’t hold our breath. In the meantime, Email Reputation alerts organizations when user credentials are being targeted or at high risk.

When a credential stuffer tests multitudes of usernames and passwords and even one is successful - you now have a customer who has suffered a data breach. Your organization, like most, probably has people working hard to make sure hackers don’t breach your internal systems. But do you have a similar level of protection against breaches of your customer accounts? Many organizations think credential stuffing is low risk, or figuratively throw up their hands, citing consumers’ poor password hygiene or third party data breaches as a “there’s nothing we can do” defense. This mindset can cost you reputation, customer confidence, and as we’ve seen recently, severe fines and legal costs. The $30 million settlement related to a class action lawsuit against 23andMe should serve as a wakeup call to organizations that they can be found financially liable for neglecting to prevent credential stuffing attacks. Most coverage of the event sparking the class action suit refers to the 6.9 million 23andMe customers whose genetic testing and ancestry data was accessed. But this data breach began with credential stuffing attacks using credentials that had been compromised in various prior data breaches - credentials which consumers were reusing with their 23andMe accounts. There are several key takeaways from this class action suit and settlement. First is the amount of the fine, $30 million, $25 million of which 23andMe believes will be covered by cyber insurance. It is hard to quantify the damages to consumers whose ancestry data was compromised. The defendants in the case argued that because traditionally sought after data, like Social Security numbers, weren’t implicated that the fine should be lower. Organizations need to consider the types of data and sensitivity of the personally identifiable information (PII) they maintain for their user accounts, and the legal or liability risks associated with unauthorized access to the data. Another key takeaway comes from accusations of the plaintiffs that 23andMe should have done more to protect the accounts. As part of the settlement, 23andMe agreed to mandate Multi-Factor Authentication (MFA) going forward. This may set a precedent that organizations are responsible for protecting user accounts even when those users do not protect themselves, leaving their accounts vulnerable to credential stuffing and account takeover by reusing compromised passwords. However, MFA isn’t a perfect solution. While MFA does protect accounts against Account Takeover (ATO), the reality is that consumers will not opt-in to using it and there will be significant churn or customer attrition if it is mandated. The bottom line is that consumers don’t want additional friction and neither do companies, because it means lower sales. Organizations need to consider more passive ways to protect against credential stuffing. Passive protections are the only method available when consumers refuse the friction of MFA, but they should also be used in addition to offering MFA as a way to more strategically and selectively present it. Bad actors know and exploit the fact that consumers tend to reuse passwords. That is why they systematically carry out credential stuffing attacks to identify where else a breached credential pair is used. myNetWatchman has unique data insights into credential stuffing attacks, as we see credential stuffing on a large scale and across some of the largest web properties. Every year we observe tens of thousands of companies and websites each experiencing thousands of credential stuffing attempts. In just the past 30 days there were over 3,000 companies that were targeted. Companies need to have a way to detect and stop credential stuffing attacks, and to remediate accounts that are taken over. myNetWatchman offers services to detect that these attacks are occurring and also what accounts are at risk or compromised. Our services can screen a credential whenever it is presented and cross-check against our repository of 30 billion compromised credential pairs to see if any are at risk. This is the passive protection organizations need to detect credential stuffing and avoid the costly headaches these attacks cause. These costs go beyond potential settlement fees like the $30 million one 23andMe is facing, but also include operational costs, downtime and brand damages. A 2017 study from the Ponemon Institute estimated the annualized cost of credential stuffing attacks to be $6 million on average when just considering prevention, detection and remediation (excluding fraud losses). The average cost of fraud related losses ranges from $500,000 to $54 million, depending on what percentage of accounts suffered a monetary loss as a direct result of the credential stuffing attack. Keep in mind that these numbers would be 29 percent higher if adjusted for cumulative inflation since 2017. Further, these estimates don’t include the harder-to-quantify losses such as brand damage and lost customer lifetime value. myNetWatchman’s Web Monitoring service alerts clients to on-going credential stuffing attacks so these attacks can be identified and stopped. User accounts implicated in the attack will be identified for remediation. Our AllCreds service focuses on prevention and remediation around credential stuffing, as clients leverage our repository of over 30 billion compromised credential pairs to know when compromised credentials are presented, whether at login, account creation or password change events. Our continuous live attack monitoring adds 15 million new compromised credential pairs each day. Companies are beginning to learn the hard way that credential stuffing cannot be ignored. Reluctance to use MFA means more needs to be done to passively protect user accounts. While cases as notable as the class action suit and settlement with 23andMe result in losses larger than most will experience with credential stuffing attacks, it should serve as a stark reminder that these are troublesome and costly attacks, and that the precedent has been set that organizations need to do more to protect user accounts from credential stuffing.

The email address is the most commonly used data point to validate that someone trying to access a system is the true account holder. When we create user accounts online, the email address is always collected, and it often doubles as our username. If we need to reset our password, if a login attempt is suspicious and the organization wants to notify us, or if a one-time passcode (OTP) is sent to validate it is really us, this is done by email much, if not most, of the time. We put so much trust in the email address, but how do we know that access to the email box hasn’t already been compromised? Consumer email accounts are high-value targets to bad actors because access to an active mailbox can be a launching point for so many other attacks. The email inbox provides insights into the financial institutions, online merchants and other organizations the victim interacts with online. There are many different attacks bad actors will attempt once they have gained access to an email address. It often begins with the bad actor curating a list of sites to target with credential stuffing attacks. They will search the inbox for order confirmations or any email that shows a customer relationship. Knowing that people commonly reuse passwords, the miscreant will try the same credential pair that allowed access into the email account at many other sites and services. If a username, rather than an email address, is used at login on other sites, then this username might be contained within an old email sitting in the inbox. If the email Account Takeover (ATO) victim uses a unique password for their email account, the bad actor’s tactics may shift from credential stuffing to targeting the victim’s other accounts through password reset process flows, which are primarily completed via links sent to the account email. It is also common for bad actors to change the contact email address on file so it is more difficult for the consumer to recover their account. As the bad actor makes these account changes to gain access, they cover their tracks along the way by deleting the password reset and account change confirmation emails that arrive in the victim’s inbox. myNetWatchman’s Email Reputation service allows you to see which email accounts are compromised. It gives companies the means to know not only if an email is compromised, but also how recently the bad actor was using the mailbox and what they were trying to gain. For example, in the last 30 days Bad actors using a compromised mailbox looked for… Because… Buy Now Pay Later (BNPL) services (such as Klarna, Affirm, etc.) They could take over the accounts and make unauthorized purchases Order confirmations, promotions, coupons They can find who the victim does business with to target them for more fraud “loyalty program,” “rewards” and “points” They can transfer or redeem the rewards or points crypto trading platforms like “blockchain,” “bitcoin,” and “onekey” (an open source crypto wallet) Crypto wallets and platforms are very high-value ATO targets, and they want to ultimately drain the balance website design and hosting services like SquareSpace, Wix, etc. These are good targets for ransom attacks where a bad actor takes control of a website and takes it down, threatening to delete it forever unless a ransom is paid password managers like LastPass, NordPass, etc. Those are the miscreant’s treasure chest of all the victim’s accounts Clearly, there is a lot of damage that can be done once a consumer’s email address has been taken over. While this is of course damaging to the victim consumer, it is also a major concern for any organization using this compromised email address as contact information. If an email address is actively compromised, it is no longer a valid means of performing two factor authentication (2FA) and cannot be used to complete password reset process flows. Further, organizations cannot rely on confirmation emails to say that an account has been accessed, a password was changed, or a purchase was made and trust that the true account holder will see this notification. The bad actor who has taken over the email account is waiting for it, and will swiftly remove it from the inbox. Knowing that an email account is actively compromised greatly changes the risk profile and renders useless some of the most common methods of confirming or authenticating login access and account changes. These are valuable insights that myNetWatchman provides to clients via our Email Reputation service. Any organization that relies on the email address for 2FA, for password reset flows, or just to notify and confirm that a purchase, login or account change was legitimate, will benefit from knowing if an email address is or might be compromised. Those who offer loyalty programs, maintain stored billing instruments, protect sensitive consumer information, allow purchases on credit or maintain any type of account balance that can be spent or transferred have an elevated ATO risk exposure and will be targeted. It is only a matter of time before ATO of an email account leads to ATO attempts against the many organizations with which this consumer does business or interacts with online.

We provide an alternative perspective on the myth that 2FA makes user credentials secure so you don’t need to detect compromised creds. Traditional security measures are proving insufficient in terms of protecting consumer accounts from takeover and in reducing friction in consumer eCommerce. The Fraud Practice and myNetWatchman present this free white paper: There is no Silver Bullet: User Credentials are not Secured with 2FA Alone , which sheds light on the limitations of two-factor authentication (2FA) and emphasizes the necessity of adopting more risk aware, user-friendly security solutions. Two factor authentication is a useful tool, but it does nothing to protect the first factor of authentication: the password. This gives a level of success to credential stuffing attacks even when 2FA prevents account takeover (ATO) by validating to the attacker that the credentials used are still valid. Further, consumers don’t want 2FA on all “interactions” and 2FA is used sparingly by consumers outside of the workplace and for online or mobile banking, so it doesn’t make sense for most organizations. Stronger protection and risk mitigation at the first factor are needed, and it’s an area where most organizations stand to improve. In this free white paper, misconceptions and challenges around 2FA are discussed along with alternative ATO detection and mitigation strategies that put more emphasis on protecting the first factor of authentication. One of the areas discussed is leveraging services that detect compromised credentials and credential stuffing attacks which can enhance security while maintaining a seamless user experience for most users who present low risk. These insights help protect against unauthorized access and reduce the need for broad user-unfriendly authentication steps that cause more friction and incur a nominal fee. By adopting more nuanced, passive security measures, organizations can better protect their users without compromising on user experience. This approach not only fortifies defenses against ATO attacks but also ensures a smoother, less intrusive login process for consumers. Download the free white paper today.