Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Credential Stuffing. Show all posts

Roku Security Breach Exposes Over 500,000 User Accounts to Cyber Threats

 


In a recent set of events, streaming giant Roku has disclosed an eminent security breach affecting over half a million user accounts. Following a recent data breach, Roku has uncovered additional compromised accounts, totaling approximately 576,000 users affected by the breach.

Security Breach Details

Last month, Roku announced that around 15,000 customers might have had their sensitive information, including usernames, passwords, and credit card details, stolen by hackers. These stolen credentials were then utilised to gain unauthorised access to other streaming platforms and even to purchase streaming gear from Roku's website. Subsequently, the compromised Roku accounts were sold on the dark web for a mere $0.50 each.

Method of Attack

The hackers employed a tactic known as "credential stuffing" to gain access to the jeopardised accounts. This method relies on using stolen usernames and passwords from other data breaches to gain unauthorised access to various accounts. It highlights the importance of avoiding password reuse across different platforms, no matter how convenient the idea of having one go-to password may seem. 

Proactive Measures by Roku

Roku took proactive steps in response to the security incidents. While investigating the initial breach, the company discovered a second similar incident affecting over 500,000 additional accounts. Roku clarified that there's no evidence indicating that their systems were directly laid on the line. Instead, the hackers likely obtained the credentials from external sources, such as previous data breaches or leaks.

Protecting Your Roku Account

To safeguard users' accounts, Roku has implemented several measures. Firstly, the company has reset the passwords for all affected accounts and initiated direct notifications to affected customers. Additionally, Roku is refunding or reversing any unauthorised charges made by hackers. Furthermore, two-factor authentication (2FA) has been enabled for all Roku accounts, adding an extra layer of security.

User Precautions

Despite Roku's efforts, users are advised to take additional precautions. It's crucial to use strong, unique passwords for each online account, including Roku. Password managers can assist in generating and securely storing complex passwords. Additionally, users should remain watchful for any suspicious activity on their accounts and monitor their bank statements closely.

As Roku continues its investigations, users are urged to stay cautious online. There's a possibility of hackers attempting targeted phishing attacks using stolen information. Therefore, users should exercise caution when interacting with emails purportedly from Roku and verify the authenticity of any communication from the company.

The recent security breaches bear down on the critical need for strong cybersecurity practices by both companies and users. While Roku has taken considerable steps to address the issue, users must remain proactive in protecting their accounts from potential threats. Stay informed and take necessary precautions to safeguard your online ecosystem. 

What are 'Credential Stuffing' Attacks and 2-Step Verification?

In the Light of 23andMe Security Incident Following up on the recent security breach of 23andMe that impacted around 14,000 customer accounts, the security incident underscored the utilization of a cybersecurity tactic known as "credential stuffing," where unauthorized access is gained by exploiting known passwords, potentially sourced from previous data breaches. 

As per a new filing, the information, which typically encompassed details about ancestry and, in some cases, health-related data derived from users' genetics, was acquired through a credential-stuffing attack. In this type of cyber attack, hackers leveraged login details obtained from previously breached websites to gain unauthorized access to users' accounts on various platforms. 

The threat actor not only breached individual accounts but also accessed numerous files containing profile information about other users' ancestry. These files were originally shared by users who opted in to 23andMe's DNA Relatives feature, and the compromised information was subsequently posted online by the attackers. 

Let's Understand 'Credential Stuffing' 

Credential stuffing is a cyber attack method in which attackers use automated tools to systematically and rapidly input large volumes of username and password combinations (credentials) into online login forms. These credentials are typically obtained from previous data breaches or leaks on other websites or services. 

The attack relies on the fact that many people reuse the same username and password across multiple online platforms. When attackers acquire a list of compromised credentials, they use automated tools to "stuff" or try these credentials on various websites, hoping to gain unauthorized access to user accounts. The success of credential stuffing attacks depends on the prevalence of password reuse among users. 

To protect against such attacks, individuals must use unique passwords for different online accounts and for organizations to implement security measures such as multi-factor authentication (MFA) to add an extra layer of protection. 

23andMe Holding Co., headquartered in South San Francisco, California, is a prominent player in the field of personal genomics and biotechnology. Renowned for its direct-to-consumer genetic testing service, the company invites customers to submit a saliva sample for laboratory analysis. Through single nucleotide polymorphism genotyping, the genetic data is deciphered to produce comprehensive reports on the customer's ancestry and predispositions to health-related conditions. 

This innovative approach has positioned 23andMe as a key player in the dynamic landscape of genetic testing, offering individuals valuable insights into their genetic makeup. Also, the company mentioned that when the hackers got into those accounts, they could see a lot of files with information about other users' family backgrounds. These were the users who decided to share details through 23andMe's DNA Relatives feature. However, the company did not say exactly how many of these files were or how many "other users" were impacted. 

Following the breach, 23andMe took swift action by advising users to reset their passwords. Additionally, the company strongly recommended the adoption of multi-factor authentication as a vital measure to boost security. By November 6, 23andMe escalated its security measures, making it mandatory for all users to enable two-step verification, providing an extra layer of defense for user accounts. 

What is 2-Step Verification and How Does it Prevent Credential Stuffing Attacks? 

Two-step verification (2SV) is an authentication method that adds an extra layer of security to the login process. Users must provide a second form of verification, such as a temporary code sent to their phone, in addition to the usual password. 

This additional step significantly reduces the risk of credential-stuffing attacks. Even if attackers acquire login credentials from one source, they would still need the second verification factor to access the account. 2SV serves as a crucial deterrent, enhancing overall security and making it more challenging for unauthorized access through automated credential-stuffing techniques.

Consumers of Chick-fil-A had Grievances Following Account Takeovers

 

An automated credential stuffing attack that affected more than 71,000 customers of Chick-fil-A, an American food chain,for months has been made known to its clients. 

Attacks that use automation—often through bots—to test a large number of username-password combinations against targeted online accounts are known as credential stuffing. The practise of users using the same password for numerous online services has made this kind of attack vector possible; as a result, the login information used in credential stuffing attacks is frequently obtained from other data breaches and is made available for purchase from a variety of Dark Web sources.

"Following a careful investigation, we determined that unauthorised parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source," the company said in a letter to those impacted. 

Customers' names, email addresses, membership numbers, mobile pay numbers, and masked credit or debit card numbers (meaning that unauthorised parties could only see the last four digits of the payment card number) were among the personal information that was compromised. Some clients' phone numbers, residences, birthdays, and months of birth were also made public.

In response to the attacks, Chick-fil-A said it has deleted stored credit and debit card payment methods, temporarily blocked cash that had been put onto customers' Chick-fil-A One accounts, and restored any balances that had been adversely affected. 

Also, the restaurant chain advised customers to change their passwords and use a secure password that is exclusive to the website. Some people pointed out that even while password reuse or the use of obvious and weak passwords is the users' fault, Chick-fil-A is still somewhat to blame. 

"This is the new frontier of information security: Attackers have gained access to these users' accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites," says Uriel Maimon, vice president of emerging products at PerimeterX. "Nonetheless, organisations are required by law and morality to protect the private and financial information of their users." 

"This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers,”Maimon added. 

Rise in credential stuffing attacks

Credential stuffing has increased recently as a result of the massive supply of credentials available for purchase on the Dark Web. According to an analysis this week, the selling of stolen credentials rules underground markets, with more than 775 million credentials available right now. 

A credential-stuffing assault that disclosed personal information in January that was targeting roughly 35,000 PayPal user accounts exposed nearly 35,000 PayPal user accounts. In the same month, Norton LifeLock warned users about the dangers of being exposed to its own credential-stuffing assault. 

Also, a larger discussion has been sparked by the situation. Some security experts have suggested methods to completely do away with passwords, such as replacing them with security keys, biometrics, and FIDO (Fast Identity Online) technology. This is because nearly two-thirds of people reuse passwords to access various websites.

FBI Alerts About Credential Stuffing Attacks, Configurations and Proxies Used


What is Credential Stuffing?

Credential stuffing attacks, also known as account cracking , consist trying to get online accounts via password and username combos from existing data leaks or which were bought on dark web forums. 

Depending on the fact that users keep using the same login for various accounts, credential stuffing attacks usually lead to significant financial damage caused by fraud purchases and system remediation and downtime, but also lead towards reputational damage. 

How is the attack done?

The use of authentic credentials lets hackers to access accounts and services across different sectors, this includes healthcare, media companies, restaurant groups, retail chains, and food delivery firms. 

Once the accounts are breached, the hackers make fake purchases of goods and services, trying to access extra online resources, this includes additional financial accounts. FBI warns that proxies and configurations let cybercriminals to automate exploitation and brute force of accounts. 

FBI involved 

FBI said in particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts. 

FBI has issued a warning that hackers can buy combo lists of login credentials from dedicated platforms and websites with configs (configurations) that let hackers to modify credential stuffing tools for targeting victims. 

The configuration consists HTTPS request format, website's address, how to identify successful attempts, if proxies are needed etc. The FBI also said that cybercriminals can get video tutorials to learn how credential stuffing can use to hack accounts. 

Security Week says "to bypass defenses, threat actors may employ proxies, including legitimate proxy services, to obfuscate their actual IP addresses. According to the FBI, cybercriminals have extensively used residential proxies to execute credential stuffing attacks, as these are blocked less frequently compared to proxies associated with data centers."

E-Bike Phishing Sites Abuse Google Ads to Push Scams

 

A large-scale phishing campaign making headlines involving over 200 scam sites that are deceiving users into providing their sensitive data to the fake investments schemes impersonating genuine brands.
Following the news, two cyber security analysts Ankit Dobhal and Aryan Singh have stated in their research that this phishing campaign has caused financial damages of up to $1,000,000, coming from tens of thousands of victims. 

The fraudulent operation was discovered by the Singaporean security firm CloudSEK, which has shared its report with media firms enunciating that this phishing campaign apparently victimized the Indian audiences through Google Ads and SEO by drawing them to hundreds of fake websites. 

The Indian government has recently launched favorable policies to uplift the growth of the country's electric vehicle sector. According to the Indian analysis reports, before the end of this decade, these new policies will bring a growth of 90% (CAGR) for the Indian EV sector, making it a $200 billion sector. The Country is already experiencing a boost in this sector, over 400 EV start-ups have already taken place while existing automotive companies are also promoting their operations in the EV sector. 

Because of the boom in this industry, the group of Cyber threat actors victimized people with an explosion of websites attempting to exploit victims with fake information. The malicious actors ensure a steady influx of potential victims by abusing Google Ads, stuffing their phony sites with keywords, and impersonating popular companies such as Revolt and Ather. 

It has been noticed in many cases that the threat actors simply copy the content, layout, style, and all images of the genuine sites and create clones. Furthermore, in other cases, the scammers make entirely fictional marketplaces using generic words like "ebike". 

When users login into the websites, the scammers instruct them to enter their full address including their names, email addresses, contact numbers, to register on the platforms. After the registration, the scammers ask them to pay the required fee to become an EV dealer or purchase a product on the site.

Verizon’s Visible Network Acknowledges Credential Stuffing Attack

 

Visible, an all-digital wireless carrier has finally acknowledged that attackers secured access to customer accounts last week. However, the firm denied the rumors of any intrusion on its backend infrastructure.

US-based firm, which is owned by Verizon, acknowledged the attack after multiple users voiced their complaints on Reddit and other social media sites, saying that attackers hacked their Visible accounts, changed login passwords, updated shipping addresses, and then bought and charged new smartphones to the compromised accounts. 

After facing severe criticism, a Visible spokesperson came forward and confirmed the attack in a Twitter thread, writing that the company was "aware of an issue in which some member accounts were accessed and/or charged without their authorization."

"As soon as we were made aware of the issue, we initiated a review and deployed tools to mitigate the issue, enabling additional controls to further protect our members. Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts," the company claimed. 

The carrier is now urging affected customers to contact them and change the account password immediately. 

"I spotted a $1,175.85 charge to my account coming from Visible. Upon examining further, I discovered a 128GB iPhone 13 Pro Max that had been purchased and sent to an address in New York City, far away from my home in the DC/Virginia area," the company’s user wrote on Reddit account.

"Visible basically offered nothing. I asked them what the hell is this, and they asked me if I had the order number. I said no, since my entire account was hijacked and the emails don't come to me. I asked if I can be given access to my account again, and they said 'We're not sure.' I should be hearing back within 24-48 hours," the user wrote.

In a later message on Reddit, the company denied the allegations of any breach or exploit, claiming that only "a small number of member accounts was changed without their authorization. We don't believe that any Visible systems have been breached or compromised, nor that this unauthorized access to your Visible account is ongoing," the company stated.

"However, for your protection, we recommend you review your account contact information and change your password and security questions to your Visible account. We also recommend that you review any other accounts that share the same email, login, or password, and make any changes you determine necessary to secure those accounts," the firm advised. 

Earlier this year in August, cybercriminals targeted T-Mobile's systems, exposing the sensitive information of more than 50 million current, former, and prospective customers. This indicates that cybercriminals are oozing with confidence and are not hesitating in taking down the big firms.

Mozilla: Maximum Breached Accounts had Superhero and Disney Princes Names as Passwords

 

The passwords that we make for our accounts are very similar to a house key used to lock the house. The password protects the online home (account) of personal information, thus possessing an extremely strong password is just like employing a superhero in a battle of heroes and villains. 

However, according to a new blog post by Mozilla, superhero-themed passwords are progressively popping up in data breaches. Though it may sound absurd - following the research done by Mozilla using the data from haveibeenpwned.com, it was evident that most frequent passwords discovered in data breaches were created on either the names of superheroes or Disney princesses. Such obvious passwords make it easier for hackers to attack and hijack any account or system. 

While analyzing the data it was seen that 368,397 breaches included Superman, 226,327 breaches included Batman, and 160,030 breaches had Spider-Man as their passwords. Further, thousands of breaches featured Wolverine and Ironman as well. And not only this research from 2019 showed that 192,023 breached included Jasmine and 49,763 breached included Aurora as their password.

There were 484,4765 breached that had password as ‘princess’ and some Disney + accounts had password as ‘Disney’. This is one of the biggest reasons that support data breaches by hackers and boost their confidence.

With the increasing frequency of compromised account credentials on the dark web, a growing number of businesses are turning to password-less solutions. Microsoft has expanded its password-less sign-in option from Azure Active Directory (AAD) commercial clients to use Microsoft accounts on Windows 10 and Windows 11 PCs. 

Almost all of Microsoft's employees are passwordless, according to Vasu Jakkal, corporate vice president of the Microsoft Security, Compliance, Identity, and Management group.

"We use Windows Hello and biometrics. Microsoft already has 200 million passwords fewer customers across consumer and enterprise," Jakkal said. "We are going completely passwordless for Microsoft accounts. So you don't need a password at all," he further added. 

Though it's common to reuse passwords, it is highly dangerous, yet it's all too frequently because it's simple and people aren't aware of the consequences. Credential stuffing exploits take advantage of repeated passwords by automating login attempts targeting systems utilizing well-known email addresses and password pairings. One must keep changing their passwords from time to time and try to create a strong yet not so obvious password.

Attackers Pummelled the Gaming Industry During the Pandemic

 

According to Akamai, a content delivery network (CDN), the gaming business has seen more cyberattacks than any other industry during the COVID-19 pandemic. Between 2019 and 2020, web application attacks against gaming organizations increased by 340 %, and by as high as 415 % between 2018 and 2020. “In 2020, Akamai tracked 246,064,297 web application attacks in the gaming industry, representing about 4% of the 6.3 billion attacks we tracked globally,” reads Akamai’s Gaming in a Pandemic report. 

Cybercriminals frequently used Discord to coordinate their operations and discuss best practices on various techniques such as SQL Injection (SQLi), Local File Inclusion (LFI), and Cross-Site Scripting (XSS), according to the company. SQLi assaults were the most common, accounting for 59% of all attacks, followed by LFI attacks, which accounted for nearly a quarter of all attacks, and XSS attacks, which accounted for only 8%. 

“Criminals are relentless, and we have the data to show it,” Steve Ragan, Akamai security researcher and author of the report, was quoted as saying in a press release. “We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices.” 

Credential-stuffing attacks increased by 224% in 2019 compared to the previous year. Surprisingly, distributed denial-of-service (DDoS) attacks decreased by approximately 20% within the same period. Each day, millions of these attacks target the industry, with a peak of 76 million attacks in April, 101 million in October, and 157 million in December 2020, according to Akamai. 

Credential stuffing is a type of automated account takeover attack in which threat actors utilize bots to bombard websites with login attempts based on stolen or leaked credentials. They can then proceed to exploit the victims' personal data once they find the perfect mix of "old" credentials and a new website. 

Last year, these attacks grew so frequent that bulk lists of login names and passwords could be purchased for as little as $5 per million records on dark web marketplaces. Poor cyber-hygiene practices such as reusing the same passwords across many online accounts and employing easy-to-guess passwords could be blamed for the increase in attacks. 

“Recycling and using simple passwords make credential stuffing such a constant problem and effective tool for criminals. A successful attack against one account can compromise any other account where the same username and password combination is being used,” said Steve Ragan.

OpenBullet Exploited for Credential Stuffing

 

Credential stuffing, a form of access-related cybercrime, is on the rise and shows no signs of slowing down. Between January 2018 and December 2019, there were 88 billion credential stuffing attacks, according to an Akamai survey.

Credential stuffing is a form of cyberattack in which compromised account credentials are used to obtain unauthorized access to user accounts through large-scale automatic login requests directed towards a web application, usually consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach). Credential stuffing attacks, unlike credential hacking, do not try to brute force or guess any passwords. Using standard web automation software like Selenium, cURL, PhantomJS, or tools built especially for these types of attacks like Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet, the intruder easily automates the logins for a significant number (thousands to millions) of previously discovered credential pairs. 

Since many users repeat the same username/password combination across different pages, credential stuffing attacks are likely. According to one poll, 81 percent of users have reused a password across two or more sites, and 25% of users use the same password across a number of their accounts. 

OpenBullet is a free web-testing tool that allows users to make particular requests on specific web pages. The open-source tool is available on GitHub and can be used for a variety of activities, including data scraping and sorting, automatic penetration testing, and Selenium unit testing. 

For legitimate reasons, such as penetration testing, the app allows users to try several "login:password" variations as credential brute-force attacks on various websites. Cybercriminals, on the other hand, will use it to find legitimate passwords on various websites for nefarious purposes.

A user can import prebuilt configuration files or configs into OpenBullet, one for each website to be checked. It also has a modular editor for making changes to configurations as desired. This is a required function since websites also make minor changes to the way users link to them in order to combat automatic tools like OpenBullet. OpenBullet's GitHub profile, for example, has a note that the tool should not be used for credential stuffing on websites that the user does not own. 

The Federal Trade Commission (FTC) released an advisory in 2017 advising businesses about how to combat credential stuffing, including requiring safe passwords and preventing attacks.

Clothing Brand 'The North Face' Hit By Credential Stuffing Attack, Suffers Data Breach

 

After North Face's website faced a credential stuffing attack, the company has reset the customers' credentials. In a recent cybersecurity incident, North Face informed its customers that it suffered a data breach attack. On its website, the customers can explore through clothing and accessories collection and buy apparel; they can also earn loyalty points when they buy a thing. Further inquiry revealed that hackers attacked The North Face on 8th and 9th October. 

The North Face says, "we strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites because if one of those other websites is breached, your email address and password could be used to access your account at thenorthface.com. Besides, we recommend avoiding using easy-to-guess passwords." In credential stuffing, hackers attack users who re-use their login credentials for different accounts or platforms. The hackers use ID and passwords stolen from other attacks, for instance, a data breach, and use the credentials for hacking purposes. The hackers use stolen login credentials to gain unauthorized access to websites. The entire process is mostly automatic, and now the hackers have modified their strategies and gained leverage in these types of attacks. 

Hackers have been successful in stealing data from prominent organizations like Dunkin Doughnut. The company suffered two cyberattacks in three months. As per the investigation, The North Face believes that it is probable that the hackers stole user credentials from any other source or website and used that information to attack the company's user accounts. According to StatSocial, The North Face leads the U.S market in the clothing and accessories segment, generating $2 Billion of the total $4 Billion revenue in 2019. 

The company didn't reveal the number of customers attacked; however, SimiliarWeb says that The North Face website had 6.96 Million customers in October. "We do not believe that the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution," says The North Face.