Have you been in a situation where you didn’t have access to your password for a website or app and couldn’t remember it?  One of the most annoying things about this situation is when you guess incorrectly a few times and the account gets locked.  Depending on which website you’re trying to use, unlocking the account could require a phone call – taking fifteen minutes of your day that you didn’t have to spare.

As annoying as that is, it’s worth it.  It prevents someone from trying every possible password they can think of to break into your account.  Unfortunately, what it doesn’t do is prevent them from guessing a single password for 100 different users – especially if they access the website from multiple computers.  With access to enough computers, a person could theoretically try passwords for thousands of accounts without ever being locked out of the system.

credential stuffing

Unfortunately cybercriminals are using this technique every single day.  Users with antique passwords have their credentials floating around the Dark Web because that information was contained in one of hundreds of major company network hacks.  For a few hundred dollars, lists of these hacked usernames and passwords can be purchased.

Anyone with a good web script can try those usernames and passwords at hundreds of different websites.  Once they find a working set of credentials on one site, they can try that same combination all over the web.  This process is called credential stuffing – and if a person reuses their passwords, it will gain a cybercriminal access to every online account that person has.

Their Password, Your Business

This becomes a problem for business owners if those reused usernames and passwords are active on business accounts.  For instance, if a member of your finance team had their credentials stolen in the 2012 LinkedIn hack, and they still use that same email and password, you’re in danger.  A successful credential stuffer could confirm those credentials are still being used, and then use them to access HR or financial information at a cloud provider like Intuit.  Once inside of your account, they could steal or delete sensitive employee information.

How do you avoid this?

One of the most effective ways is to turn on and require multi-factor authentication anywhere you can.  If multi-factor authentication was on when the password thief tried to access your Intuit account, they would be asked to enter a six-digit code that was just sent to the user’s smartphone, or to confirm via that smartphone that they were trying to access the site.  That would block them immediately – and they’d move on to other targets besides your business.

This is why it’s so important to make sure multi-factor authentication is enabled and required for your employees on any system where sensitive data is stored.  Without it, you’re one reused password away from a data breach.

To learn how modern cybersecurity strategies can help protect your company from data theft or encryption, call us at 919-460-7011 or Contact Us.