cxo voice
  • Home
  • News
  • Leaders Talk
  • Expert Opinion
No Result
View All Result
  • Home
  • News
  • Leaders Talk
  • Expert Opinion
No Result
View All Result
Leaders Talk and Latest Tech News | CXO VOICE
No Result
View All Result
Home News Cyber Security

Credentials database theft, reused passwords dangerous entryway

Harish Kumar by Harish Kumar
November 16, 2022
Reading Time: 5 mins read
Credentials database theft, reused passwords dangerous entryway

Photo: Harish Kumar

Share on FacebookShare on Twitter

When you think about your social media accounts – let’s say your Facebook password – does it have anything in common with your LinkedIn or bank account password? Does it have the same password as your corporate account? If so, you are not alone! According to a Google survey, at least 65% of participants re-use their passwords across multiple accounts and web services.

As every service, website, and social media account requires a password, many people find it easier to reuse the existing ones instead of reinventing new ones, especially since it is difficult to manage and memorize multiple passwords. This is particularly true as, due to security policies, passwords are, by necessity, becoming more and more complex. Although most of the population understands the risk and knows that one shouldn’t reuse passwords, most of us continue reusing passwords for both corporate and personal accounts.

Some people use password managers, which are considered safe, to help them store their credentials. However, these tools are not bulletproof, as seen in August 2022 when LastPass was breached for a second time. On that note, in a survey from 2022, another password manager service, Bitwarden, found that 84% of the service consumers use the same password across multiple business and personal platforms.

India according to Statistica, there were around 170 cases of data theft reported across India in 2021, a huge jump when compared to the 98 reported in the previous year. Such a huge jump could possibly be attributed to the accelerating digital adoption over the pandemic, which forced many organizations online. With this drive to go digital, organizations and individuals also lack cybersecurity awareness leading to increased cybercrime. 

It’s not surprising that cybercriminals immediately saw an opportunity presented by people’s generally lax behavior regarding password reuse and created a flourishing underground market of databases obtained from breached websites.

As most cybercriminals do not care about the origins of the credential pair, they create “combo lists”, huge compilations of many stolen databases that are just lists of email addresses and passwords. Many of those are lists of corporate email accounts with passwords that were used on 3rd party services. The largest combo list of all time, called RockYou2021, was published in 2021 and contained more than 8 billion unique sets of email accounts and passwords.

ADVERTISEMENT
An example of a US-focused combo list that consists of 25 million records

Credential Stuffing Attacks – How do threat actors leverage stolen credentials and combo lists?

Credential stuffing is a type of cyberattack in which the attackers collect stolen account credentials, typically consisting of lists of usernames and/or email accounts and the corresponding passwords. They then use the credentials to gain unauthorized access to user accounts through large-scale automated login requests directed against a Web application.

Credential stuffing is one of the most common techniques to take over user accounts, including emails, banking accounts, social media, and corporate accounts.

The Underground Perspective

As soon as cybercriminals understood the big business potential of stolen passwords, they started focusing their efforts on hacking different websites and services that are not of great value by themselves – but are lucrative because of the user credentials they contain. 

The NIST password storage guidelines require that passwords be salted with at least 32 bits of data and hashed with a one-way key derivation function. However, even in 2022, many websites don’t comply with this policy and some even store passwords as plain text records.

The cybercriminals who hack these websites are not necessarily the ones who most effectively use them. Many flourishing underground communities and markets were created around buying and selling stolen data and credentials. Valuable sets of credentials that provide administrator-level access to an organization can cost up to $120K in the underground, with an average of $3K for administrator sets. While many sets of credentials are sold in the underground forums, many are also given for free.

In just the last six months, in one of the prominent English-speaking underground communities, more than 3,500 threads concerning stolen databases were opened, and more than 1,500 threads about combo lists that include just email accounts and passwords. Each one of these databases can include millions or even hundreds of millions of credential sets.

The number of threads dealing with credential sets opened in a prominent English-speaking underground forum.

While those databases and combo lists include a high percentage of webmail credential sets whose exposure poses only a low risk to the corporation, they also include many sets of corporate email accounts with passwords that employees use to register on 3rd party websites. This is the Holy Grail for the cybercriminals, the most valuable quarry of them all. When the same password is used across personal and business accounts, the damage potential of a cyberattack increases as criminals can access multiple accounts when just one is breached, and the organizations’ vulnerability to cyberattacks increases. These accounts and applications lie beyond the visibility and protection of business IT teams.

In many cases, cybercriminals also separate the combo lists according to the country to make it much more convenient to use. 

Examples of combo lists shared for free for credential stuffing attacks.

How does Check Point Harmony Browse help you prevent the re-use of corporate passwords?

As a complete web browsing solution, Harmony Browse offers credential theft prevention by blocking the re-use of corporate passwords across multiple web services. Password reuse is only one example of how the workforce often unwittingly puts their organizations at risk. Harmony Browse offers extensive web browsing protection to ensure your organization is protected from Web-borne security threats. Among its features, the solution prevents users from visiting phishing sites or downloading malware without compromising workers’ productivity. Organizations need to start taking that first step toward a more data and credentials-secure world. 

(The author is Harish Kumar, Head of Enterprise at Check Point Software Technologies and the views expressed in this article are his own)

Also Read: Metaverse Reality Check: Is It Worth It?

Harish Kumar

Harish Kumar

Head, Enterprise at Check Point Software Technologies, India & SAARC

Related Posts

Top 10 Data and Analytics Technology Trends for 2020
Business

Marketing leaders in India to boost the use of generative AI: Report

June 9, 2023
Users can now create desktop shortcut for Google Password Manager
News

Users can now create desktop shortcut for Google Password Manager

June 9, 2023
HP launched new PC portfolio to meet the evolving consumer demands
Technology

HP introduces 45-inch curved display, vertical mouse in India

June 7, 2023
Apple iPadOS 17 offers redesigned Lock Screen, interactive widgets & more
News

Apple iPadOS 17 offers redesigned Lock Screen, interactive widgets & more

June 6, 2023
Working in a post-pandemic world: What is the new normal?
Technology

Approx 4K people lost their jobs in the US due to AI in May: Report

June 5, 2023
Atomic Wallet faces security breach, loses over $35 mn in crypto
Cyber Security

Atomic Wallet faces security breach, loses over $35 mn in crypto

June 5, 2023
chatbots for businesses
Opinion

Why chatbots are important for businesses to strengthen their sales and operations

June 5, 2023
smart home
Technology

4 in 5 smartphone users consider chipset as heart, brain of phone: Report

June 5, 2023
Load More
ADVERTISEMENT

Expert Views

chatbots for businesses
Opinion

Why chatbots are important for businesses to strengthen their sales and operations

June 5, 2023
How Travel and Expense can pave the way for responsible spend culture
Opinion

How Travel and Expense can pave the way for responsible spend culture

May 24, 2023
Data at Rest
Cyber Security

Data at Rest – How Data Encryption and Data Security Beneficial to IT Teams?

May 8, 2023
SaaS Rising: India is Ready for its Next IT Moment
Opinion

SaaS Rising: India is Ready for its Next IT Moment

January 31, 2023
Technology remains the main driver for insurance companies to scale and grow in 2023
News

Technology remains the main driver for insurance companies to scale and grow in 2023

January 10, 2023

Latest Updates

Top 10 Data and Analytics Technology Trends for 2020

Marketing leaders in India to boost the use of generative AI: Report

by IANS
1 day ago

Users can now create desktop shortcut for Google Password Manager

Users can now create desktop shortcut for Google Password Manager

by IANS
2 days ago

HP launched new PC portfolio to meet the evolving consumer demands

HP introduces 45-inch curved display, vertical mouse in India

by IANS
4 days ago

Apple iPadOS 17 offers redesigned Lock Screen, interactive widgets & more

Apple iPadOS 17 offers redesigned Lock Screen, interactive widgets & more

by IANS
5 days ago

Working in a post-pandemic world: What is the new normal?

Approx 4K people lost their jobs in the US due to AI in May: Report

by IANS
5 days ago

Atomic Wallet faces security breach, loses over $35 mn in crypto

Atomic Wallet faces security breach, loses over $35 mn in crypto

by IANS
6 days ago

Get Latest Update

Subscribe to our mailing list to receives newsletter direct to your inbox!

ADVERTISEMENT

Leaders Inerviews

Interview with Prasanna Arikala, CTO, Kore.ai on AI chatbots
AI

Can AI chatbots enhance customer experience and reduce the cost of serving customers?

-
Rising cyber attacks pose a serious threat to Indian SMBs, says Zakir Hussain
Cyber Security

Rising cyber attacks pose a serious threat to Indian SMBs, says Zakir Hussain

-
Axis Bank's Cloud-driven digital banking solutions
Banking

Axis Bank doubles down on cloud based digital banking solutions

-
digital-first strategy
Banking

Jana Small Finance Bank’s digital-first strategy enhances customer experience

-

Entrepreneur

Samsung Electronics appoints its first female president

Inspiring Women Entrepreneurs in India (2022)

Technology Adoption For Entrepreneurs

Volunteering management is the need of the Hour

We bring business leaders' opinions and unique ideas on what’s happening in the market and its impact. Also, get the daily news, analysis, and insights.

Connect with us

Easy Links

  • Cryptocurrency
  • Event
  • Blockchain
  • Press Release
  • Resources & Downloads

Write Us

contact@cxovoice.com
  • Home
  • About
  • Contact Us
  • Advertise
  • Privacy & Policy
  • Feedback

© 2023 CXO VOICE

No Result
View All Result
  • Home
  • News
  • Leaders Talk
  • Expert Opinion

© 2023 CXO VOICE

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Our Spring Sale Has Started

You can see how this popup was set up in our step-by-step guide: https://wppopupmaker.com/guides/auto-opening-announcement-popups/