Last week during a casual conversation with a colleague, the issue of online security threats popped up. He pointed out recent incidents of hacking of user accounts on Zoom or hacking of promo.com were not stray incidents. He showed me a report that highlighted how the media industry is most prone to credential stuffing worldwide and specific to India the statistics were startling.
The Akamai 2020 State of the Internet / Credential Stuffing in the Media Industry report states, between January 1, 2018, and December 31, 2019, it recorded more than 88 billion credential stuffing attacks across all industries. Media sector, which includes streaming media, television networks, cable networks, broadcasting, and even digital publishing and advertising, accounts for 17 billion, or about 20% of all attacks.
The report points out India was the most targeted country in 2019, enduring with 2.4 billion credential stuffing attacks. It was followed by the United States at 1.4 billion and the United Kingdom at 124 million. Within the media sector, publishing, streaming, and video media were the top three targets. Video sites are not the sole focus of credential stuffing attacks within the media industry. Published content, newspapers, magazines and books, saw a staggering 7,000% increase in attacks.
Attackers use credential stuffing to take-over user accounts. It automatically injects large numbers of spilled credentials or breached username and password pairs until they are potentially matched to a user account to fraudulently gain access. The attacker acquires spilled usernames and passwords from a website breach or password dumpsite.
The Akamai report highlights a trend in which criminals are combining credentials from a media account with access to stolen rewards points from local restaurants and marketing the nefarious offering as ‘date night’ packages. Once they have the geographic location information in the compromised accounts, they can match them up to be sold as dinner and a movie.
Sharing is not caring
Most of our work revolves around media. It is not rare among both PR and Communications professionals to toss around the credentials of premium content sites or those behind a paywall. We must pay attention to this. The other critical factor is, do not adopt one-password-fits-all policy. Rotating a few password combinations is easy to remember and hassle-free for the user. But it also increases the risk of exposure to attacks and hacking. Password sharing and recycling are the biggest contributors to credential stuffing attacks. Assuming it to be a low-risk activity, we don’t pay attention to what credentials we use on media websites. Attackers use this data on services that hold our sensitive data. We also believe it is fine to use a common username across websites. Credential stuffing attacks rely equally on the re-use of usernames.
Check how safe is the media websites. Few pointers to look for, multi-factor authentication (MFA) or two-step authentication that uses security questions, PIN or secondary passwords, and captcha. Check if the username asks for an email address. Most of us use only a handful of email addresses for all our account sign-in. It makes the credential stuffing attacks easier and more effective.
It is well known that criminals are using all the tools at their disposal to make a quick buck. In stressful times like the present such attempts are likely to increase. It is, even more, pressing now to focus on digital hygiene and not just physical hygiene. If you are recycling or sharing passwords and usernames, it is time to take stock and change it.
Rotating a few password combinations is easy to remember and hassle-free for the user. “One of my media friends rotates her account passwords with her favourite foods. And she doesn’t share her food or her passwords.
The views and opinions published here belong to the author and do not necessarily reflect the views and opinions of the publisher.