Over three billion credentials were reported stolen last year. This means that cybercriminals possess usernames and passwords for more than three billion online accounts. And that’s not just social media accounts; it’s bank accounts, retailer gift card accounts with cash and credit cards attached, airline loyalty accounts with years of accumulated frequent flyer points, and other accounts with real value.
This statistic is alarming, but in fact it significantly understates the scope of the threat. Because of a form of attack called credential stuffing, tens of billions of other accounts are also at risk. Here’s how that attack works. Because most people have many online accounts (a recent estimate put it at 191 per person on average) they regularly reuse passwords across those accounts. Cybercriminals take advantage of this. In a credential stuffing attack, they take known valid email addresses and passwords from one website breach—for example, the Yahoo breach—and they use those same email addresses and passwords to log in to other websites, such as those of major banks.
Read more here.
This article was submitted by Jonathan T. Armiger, Armiger Law. If you would like to submit content or write an article for the E-Discovery, Information Governance & Cybersecurity Section, please email Kara Sikorski at firstname.lastname@example.org.