2019 is looking to be the year of the “data dump”, with more exposed records than any other year, empowering further credential stuffing attacks, according to McAfee.
Among other great details around the current state of attacks in the McAfee Labs Threats Report August 2019, the report highlights the massive number of credentials, including a single hacker group, Gnosticplayers, releasing over 1 Billion brand new account records on the dark web’s Dream Market.
What makes the availability of 2.2 Billion sets of credentials is the ability for user’s accounts to be compromised. Cybercriminals leverage scripting to attempt logons using each individual credential they have access to on multiple sites – banking, shipping, Google, Office 365, and more.
With this many accessible sets of credentials, it’s imperative that users be following a few basic security hygiene best practices:
- Never use the same password on multiple systems, applications, or platforms – different accounts require different passwords. The use of the same password gives the cybercriminal an ability to use that credential set on multiple platforms and gain access.
- Regularly change your password – while Microsoft killed the password expiration policy earlier this year, signaling the ineffectiveness of frequently changing passwords (e.g. every 30 days), the need for passwords to be changed at some regular interval (while not as frequent as every 30 days) is still necessary.
- Longer passwords are better – rather than a complex short password (e.g., 3#f7Gw%8b), a longer password that uses a combination of upper/lower case letters, numbers, and symbols is more secure. The best is a passphrase with 25 characters or more. (e.g., Of the Top 10, I like #3 the best!)
Organizations can continually education and reinforce the need for proper user security hygiene through Security Awareness Training by making users both aware of the need for security vigilance, and how to best incorporate security-minded habits into their everyday work.