If you get a notice that your information has been compromised, you may picture a lone hacker sitting in the dark trying to break into your accounts one by one. But that’s far from reality. Some of today’s tech-savvy hackers buy large databases of stolen data and use high-speed bots to “guess” passwords and crack into accounts. It’s called credential cracking, and here’s what you need to know about it.
Think Your Accounts Can’t Be Hacked Without Your Password? Think Again.
Credential cracking is a method that cybercriminals use to take over your account, even if they don’t know your password.
Hackers start with a list of stolen usernames, but no passwords. Using credential cracking software, they use brute force to test a library of commonly used passwords against a large database of stolen usernames. If a login attempt is successful, the hacker can change the password so that they now have access and control over the account—and you don’t.
To make matters worse, if you’re one of the many people who reuses the same password across multiple websites, any cracked credentials that a hacker discovers could potentially be used to take over your other accounts too.
Credential Stuffing Attacks Took Off in 2018
A close relative of credential cracking is credential stuffing, in which attackers take a username and password combination stolen from one website and “stuff” those login credentials into other websites in an attempt to access the victim’s other online accounts.
Credential stuffing took off in 2018, with nearly 30 billion documented attempts recorded. The reason could be due to the sheer number of stolen records available for hackers to choose from, which increase the odds that some credentials will work on another website.
That is what occurred during the recent TurboTax cybersecurity incident. Thieves took stolen username and password combinations from a data breach and systematically tested them on the TurboTax website, thereby exposing the tax returns and identities of the unfortunate victims.
This situation highlights one of the biggest problems in today’s consumer security practices–the use of the same username and password combinations across multiple online services.
Almost Any Online Account Can Be a Target
You may have some online accounts you don’t think you need to worry about in terms of security. What, after all, could a thief possibly do with your video streaming account or your gaming credentials?
In fact, credential stuffing attacks have been reported across many different types of web properties, including retail, video media, entertainment, financial services, hotel and travel, social media, and more.
Hackers may target media and entertainment accounts because they contain payment details and demographic data, which can have a high value on the black market. They may try to crack retail websites for the merchandise, which hackers purchase through compromised accounts and then resell.
It’s Time to Improve Our Password Habits
According to the Identity Theft Resource Center (ITRC), due to today’s automation behind stealing account access, consumers need to practice the strongest password security they can–now more than ever.
To learn more about how you can take steps towards better password security, see the U.S. Department of Homeland Security’s guide for choosing and protecting passwords.