The Worrisome Rise of Credential Stuffing

How to prevent coordinated, automated, big data-scale ATO


Account takeover (ATO) is not only one of the most dangerous forms of online fraud; it is increasingly one of the most common. The prevalence of readily accessible user data—the result of ongoing massive data breaches—makes this uniquely hard-to-spot attack type particularly appealing to fraudsters, and increasingly powerful automation capabilities are giving rise to an especially damaging breed of ATO. It’s called credential stuffing, and seemingly no organization is immune—in recent months, companies ranging from Dunkin’ Donuts and DailyMotion to OkCupid and Reddit have suffered massive credential stuffing ATO attacks.


Big data-scale ATO


In its simplest form, ATO is precisely what it sounds like—a legitimate user account gets taken over by a fraud actor who has obtained the necessary credentials to enter the account. What makes credential stuffing unique—and uniquely concerning—is the scale. In a credential stuffing attack, fraudsters leverage massive troves of leaked legitimate user credential data to begin firing pairs of names and passwords at other sites in hopes of getting a “hit”—an instance in which a combination works, and a hacker gets into an account. Once in, the fraudster is free to eke as much value from the account as possible.


The high value of your personal and financial data


ATO attacks of any type are dangerous because they involve real accounts created by real users. When a fraudster gets into a legitimate account, they get unrestricted access to that users’ personal and financial data. They can use that information for their own fraudulent activity, or they can sell the information on the underground market. The latter can be extremely lucrative, as can be seen from some of the numbers recently provided by Gro ..

Support the originator by clicking the read the rest link below.