#WeekendWisdom 056 Credential Stuffing
Welcome to #WeekendWisdom number 56. This week we’re going to talk about credential stuffing.
Where is this coming from?
I have introduced the www.HaveIBeenPwned.com service to a number of people recently. They have gone on to the website. They have typed in their email addresses and in some cases they have found that they have been included in data breaches. When they’ve gone to look and see what was breached, in a number of cases they had at least their email address and password for that service were included in the data breach.
Also check out previous #WeekendWisdom 014, #WeekendWisdom 015 and #WeekendWisdom 016.
Data breaches are bad. What should they do?
So they asked me “What should I do?”. The first thing of course is always, they must change their password on that service or site or whatever it was that was breached. Then I ask “Do you use that password anywhere else?” And they say “Yeah. I use it on multiple sites” or “It’s my favourite password. I use it everywhere.”
So I said “Well you’re going to have to change that password on all of these other platforms.”
They say “That’s going to be an awful lot of effort. Why should I worry?”
Why did you call this post Credential Stuffing?
You worry because of a thing called Credential Stuffing. What happens is that the bad guys, they take these data breaches, say from LinkedIn back in 2012. They take those email addresses and passwords that they have cracked and they try to sign into Facebook, into Twitter, into Microsoft 365, into Google G Suite, into Gmail and many, many other services. The criminals will try all of these things automatically.
They are stuffing credentials into services to be able to try and break in. That is what credential stuffing is all about. That is why you should not use the same password across multiple platforms and services.
So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.
How can L2 Cyber Security help you?
We offer a full range of training programmes, which can be delivered online or in-person*.
L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.
Contact us for more information at info@L2CyberSecurity.com.
*With appropriate social distancing and other health and safety measures adhered to.
Follow us on Social media:
Liam is available on Twitter, LinkedIn and Instagram.
Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.