The number of annual credential spills has nearly doubled in the last four years, according to the latest Credential Stuffing Report.
The report also estimated that the average spill size in 2020 was 17-million records. Those millions of credentials, including emails, phone numbers, and passwords that belong to real people who use them every day get dumped somewhere online for public access.
“Usually, breached databases with users’ logins get sold on the dark web, where buyers later exploit their contents,” explains Daniel Markuson, a digital privacy expert at NordVPN. “Normally, cybercriminals don’t guess any passwords to attempt to log in to people’s online accounts. Instead, they launch what is called credential stuffing — large-scale automated login requests directed against a particular web application.
“Even though credential stuffing has a low success rate, it remains one of the most popular cyberattack methods because it takes little effort and is very cheap to execute.”
How can one password cause havoc?
The majority of leaked credential incidents are caused by service providers storing passwords in plaintext, and users are not to be blamed here. When hackers gain unauthorized access to a company’s database containing customer details, those credentials sooner or later get leaked on the dark web for profit.
Now, imagine you use the same password for Facebook, Netflix, Uber, and your bank account, and it lands in one of those password dumps together with your username to the mentioned services. All of your online accounts become vulnerable, and it’s only a matter of time before a cybercriminal gets lucky to have your password matched to the service it’s used for.
“Once the attacker breaks into your account, they can do all kinds of activities pretending to be you. And locking you out of your Twitter or using up your food delivery credits isn’t really what you should worry about,” warns Markuson. “The worst case scenario begins when the bad actor starts fiddling with the victim’s sensitive data, especially credit card details that can be used in identity theft or credit card fraud.”
Where to check if your password has been leaked?
Some of your security software, like a VPN or a password manager, may be equipped with monitoring tools that continuously scan the dark web and notify their users if an incident is recorded.
Additionally, there are free online tools where you can check if your email address or phone number has ever been compromised in a data breach.