Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    New York State Warns of Credential Stuffing

    New York Warns of Credential StuffingNew York Attorney General Letitia James has released a guide to help businesses defend themselves against credential stuffing attacks. Credential stuffing is a type of brute-force attack in which attackers use automation to test stolen usernames and passwords against many different websites. New York’s advisory explains that credential stuffing “leverages the natural human tendency to reuse passwords to cope with the ever-growing number of online accounts that must be managed. Attackers know that the username and password used at one website may also be used at a half-dozen others.”

    The guide states these attacks are easy to carry out, as attackers use readily available tools and credentials purchased for cheap on criminal forums.

    “Unlike many other types of cyberattacks, credential stuffing attacks often require little technical knowledge to mount,” the document says. “Attackers typically use free, easily accessible software capable of transmitting hundreds of login attempts simultaneously without human intervention. A single attacker can easily send hundreds of thousands, or even millions, of login attempts to a single web service.”

    The Office of the Attorney General (OAG) found that these attacks are very successful, even against major companies. Attackers can use access to compromised accounts as a foothold within companies’ networks.

    “Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing,” the advisory says. “The OAG found thousands of posts containing login credentials that had been tested in credential stuffing attacks on a website or app and confirmed to provide access to a customer account. Members of these communities were free to use these validated credentials to break into the customer accounts themselves, or use them for their own credential stuffing attacks on other companies’ websites and apps.”

    New-school security awareness training can enable your employees to follow security best practices so they can avoid falling victim to these attacks.

    The New York Office of the Attorney General has the story.

     

    Return To KnowBe4 Security Blog

    Are your user’s passwords…P@ssw0rd?

    Employees are the weakest link in network security, using weak passwords and falling for phishing and social engineering attacks. KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

    wpt02Here's how it works:

    • Reports on the accounts that are affected
    • Tests against 10 types of weak password related threats
    • Does not show/report on the actual passwords of accounts
    • Just download the install and run it
    • Results in a few minutes!

    Check Your Passwords

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/weak-password-test

    Topics: Password Security

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews