Credential stuffing is a low level cyberattack that can cause some major headaches.
In this type of attack, hackers obtain stolen credentials and use them to gain unauthorized access to user accounts through large-scale automated login requests.
Gone Phishing
A report by the cybersecurity company Akamai found that credential stuffing attacks jumped 49% in 2020.
There were 193 billion credential stuffing attacks reported globally, the report said, and out of these, 3.4 billion hit the financial services organizations.
"Throughout 2020, criminals leveraged COVID-19 and the promise of financial assistance, or the stress of financial hardship, to target people across the globe via phishing," the report said. "These attacks, in turn, fueled the credential stuffing boom, as newly collected credentials, newly sorted data breaches, and old collections were combined, tested, traded, and sold."
General Motors (GM) was recently hit with this type of attack. The company filed a breach disclosure with the California Attorney General’s Office on May 16 stating that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29.
GM did not specify how many people were affected by the breach, but a filing with attorney general's office indicates the notice was sent about 5,000 California residents.
California law requires businesses to issue a security breach notifications with the attorney general in cases where the number of state residents affected by the incident is greater than 500 people.
The company said in the disclosure that hackers could have potentially gained access to a wide range of personal data, such as first and last name, personal email address, and personal address, username and phone number for registered family members tied to customers' accounts.
'Some Fraudulent Activity'
The company said 140 GM customer rewards accounts were comprised. These accounts did not include date of birth, Social Security number, driver’s license number, credit card information, or bank account information, the automaker said.
"We utilize security measures to safeguard against unauthorized access and we’ve detected some suspicious attempts to log into certain GM branded online accounts," GM said in statement to TheStreet. "In addition, for a small number of accounts, we have identified some fraudulent activity involving the redemption of reward points related to the My GM Rewards accounts."
GM said it had notified affected customers and will require them to reset their passwords to keep their information safe.
The automaker also said it had reported the fraudulent activity to law enforcement.
GM said it had temporarily put a pause on its gift card redemption pending the outcome of its investigation. GM credit cards were not affected as they are managed in a different system, the company said.
Derek Ruths, a computer science professor at McGill University, said that credential stuffing is a fairly common form of attack that occurs when people use the same password on multiple sites.
A 2019 Google Online Security Survey found 52% of respondents reused the same password for multiple accounts.
Playing The Numbers Game
"They're playing a numbers game and they're counting on a lot of people using the same password," Ruths said. "That's basically what happened here. They got logins from another breach and then they turned around and said 'I'm going to try this on the GM account.' You don't have to be a super hacker to do this."
He said it is an encouraging sign that GM was able to detect the breach and take steps to protect users because credential stuffing is often not detected.
Ruths advised consumers to use multiple passwords for their various accounts and called upon companies to use two-factor authentication, users provide two different authentication factors to verify themselves.
Matthew Green, associate professor at Johns Hopkins University's computer science department, said "the actual cost of remediating these things is so much bigger than the amount of money that people make,"
"They make a couple of cents per stolen account and meanwhile it'll cost a couple of dollars per stolen account for the company that repair and fix the damage. It's like vandalism. It's not very profitable compared with the cost of fixing the damage."
In addition to being careful with passwords, Green suggested using a password manager that pick passwords randomly and make a different password for each site.
"Hackers don't care if they get into your account," Green said. "they have thousands and thousands of user accounts and they're going to go through them and try each one. It's like rattling doorknobs on houses. You don't care if you get someone's specific house, they're just looking for one house that's unlocked."