Please fill in the form below to subscribe to our blog

Dark Web Data Fuels Credential Stuffing Trouble for 1.1 Million Accounts

January 21, 2022

NY AG Sounds the Alarm About a Massive Credential Stuffing Operation

Credential stuffing is making headlines after New York Attorney General Letitia James announced the results of a sweeping investigation into cybercrime. That investigation by the Office of the Attorney General (OAG) of New York unearthed more than 1.1 million online accounts that had been compromised in cyberattacks at 17 well-known companies This is a good example of the danger that businesses are in from password problems and the ease with which cybercriminals can use that against them with data from the dark web.    

The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>

What is Credential Stuffing and Why is it a Big Deal? 

The Open Web Application Security Project (OWASP) defines credential stuffing as “the automated injection of stolen username and password pairs (“credentials”) into website login forms, in order to fraudulently gain access to user accounts” further defining it as a subset of the brute force attack category. In other words, cybercriminals throw spaghetti at the wall until they find something that sticks, which means gathering stolen usernames and passwords from dark web sources and trying them rapid-fire at a login portal until they hit the jackpot.  

Credential stuffing is dangerous because it is relatively easy to pull off. It’s not a highly skilled operation nor is it expensive to get set up in an operation. Tools can be bought or obtained for free easily. In this scenario, instead of cybercriminals taking the time to obtain password aggregations and try to find the golden ticket to a website they’d like to get into, they just have to use an automated tool to flood its login portal with known compromised credentials until something clicks and those aren’t hard to find. Historically, credential stuffing has a low success rate, with estimates of success ranging between one to three percent, but that isn’t much of a deterrent.

malicious insider threats represented by a crime comic style blue eye looking through a peephole.

Are your systems and data really safe? Our Cybersecurity Risk Protection Checklist will help you find & fix vulnerabilities. GET IT>>

The Dark Web is Full of Compromised Passwords 

The New York Attorney General’s statement notes that there are 15 billion stolen credentials in circulation on the internet today or about 100 passwords per average adult floating around on the dark web. That pool is constantly growing, gaining information that cybercriminals can use. When giant dumps of fresh passwords from events like the RockYou 2021 leak hit a dark web dump or the user records of 700M LinkedIn users pop up in a dark web forum, cybercriminals receive ammunition that can be used in future credential stuffing attacks. Plus, credentials are the most desirable data for bad actors to snatch in a data breach.  

Most Prevalent Types of Data Stolen in Breaches    

  • Credentials: 60%   
  • Personally Identifying Data (PII): 40%   
  • Medical Data: 10%   
  • Bank Data: 10%   
  • Internal Data: 10%   
  • Payment Data: 10%  

Source: Verizon Data Breach Investigations Report 2021 

faint images of US dollars in a pile shaded in rainbow prismatics

Find out exactly how security awareness training makes your company safer & saves money! WATCH NOW>>

Password Reuse Creates Danger 

That abundance of stolen credentials works so well to power credential stuffing attacks because people seemingly hate to make new passwords, and that’s extremely dangerous for businesses. By and large, users know that they should use a unique password for every account, it’s just too much work. Although 91% of participants in a password behaviors survey said that they understood the danger of password reuse, 59% admitted to doing it anyway, putting their employers at risk.  

How does that put the company a password recycler works for at risk of a cyberattack? Because chances are they’re not being too careful about how and where they’re reusing their go-to password, nor is it something that only happens once in a while. The average user reuses a password about 14 times, and 39% of people admit that they use their favorite passwords interchangeably across passwords across both their work and home applications. Some folks just use the same password for everything at work and at home without changing it at all. A terrifying 13% of people use the exact same password for all of their logins and password-protected devices. 

The fact that reused passwords are dangerously insecure is not new information. An estimated 60% of passwords that appear in more than one breach are recycled or reused. IT professionals have struggled for as long as there have been passwords to get users to make secure passwords that they don’t mishandle or reuse. However, that has not been successful, leaving many companies vulnerable to a credential stuffing attack. Cybercriminals are more than happy to take advantage of that circumstance. An estimated 80% of hacking-related breaches involve brute force techniques or the use of lost or stolen credentials.  

Based on our analysis of the top 250 passwords that we found through the application of Dark Web ID’s dark web search function to uncover exposed credentials, these categories of information were used to generate the weakest passwords: Names, Sports, Food, Places, Animals and Famous People/Characters. In fact, an overwhelming majority of passwords fit into one of 20 common categories. Here’s a breakdown of people’s dreadful passwords. 

The Most Common Passwords Spotted by Dark Web ID by Category 

Names: maggie 

Sports: baseball 

Food: cookie 

Places: Newyork 

Animals: lemonfish 

Famous People/Characters: Tigger 

Are you ready to slay the Monsters of Cybersecurity? This checklist tells you what you’ll need to succeed! GET CHECKLIST>>

Top 20 Most Common Passwords That Dark Web ID Found on the Dark Web  

  • 123456 
  • password 
  • 12345678 
  • 12341234 
  • 1asdasdasdasd 
  • Qwerty123 
  • Password1 
  • 123456789 
  • Qwerty1 
  • :12345678secret 
  • Abc123 
  • 111111 
  • stratfor 
  • lemonfish 
  • sunshine 
  • 123123123 
  • 1234567890 
  • Password123 
  • 123123 
  • 1234567 

Can you spot a phishing email? This infographic shows you how to detect one! DOWNLOAD IT>>

Recommendations to Prevent Credential Stuffing Damage 

The New York Attorney General’s Office also released a Business Guide to Credential Stuffing Attacks featuring tips and warnings about protecting businesses from credential stuffing attacks. The guide recommends implementing safeguards in each of four areas: 

  1. Defending against credential stuffing attacks 
  2. Detecting a credential stuffing breach 
  3. Preventing fraud and misuse of customer information 
  4. Responding to a credential stuffing incident 

It goes on to say that three safeguards were found to be highly effective at defending against credential stuffing attacks when properly implemented: bot detection services, multifactor authentication and password-less authentication. The statement also suggests that every business should have a specific incident response plan to combat credential stuffing attacks and an effective way of detecting attacks that have bypassed other defenses and compromised customer accounts. 

ransomware defense can be complicated by cryptocurrency risk

See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>

Don’t Let Compromised Credentials Break Down Your Door 

Does your organization have compromised credentials floating around out there? Even one compromised credential could be the cause of a data breach or other damaging cyberattack. Don’t wait until it’s too late to find out that an employee credential has been compromised.  

Protect your company from nasty password-related surprises like a credential stuffing attack by continuously monitoring for credential compromise with Dark Web ID. 24/7/365 always-on monitoring watches for signs of trouble and alerts you immediately if a protected credential is discovered in any shadowy corner of the dark web. LEARN MORE>> 

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!