Every now and then, we receive email notifications warning us that our account might have been compromised in a data breach. In fact, if you have a Google account, you’ve probably seen a list of some non-Google accounts you own that have compromised passwords. If you haven’t been paying attention to these warnings, you really should. Here’s why.

Compromised accounts aren’t the only ones at risk

The obvious reason is, a compromised account can be taken over by threat actors. You might say, “Well, that’s alright. I’m no longer using the sites where those compromised passwords are found.” Good point.  Problem is, there’s another not-so-obvious reason to act on these compromised password alerts.

In a recent report published by LastPass, it showed that users reuse passwords an average 13 times across multiple applications. So, for example, a user might use exactly the same password on his/her Facebook account, Tripadvisor account, SharePoint account, and so on. A lot of websites also use email addresses for usernames. So, the same username AND password might be used across multiple sites.

Hence, if you receive a warning that one of your online accounts was involved in a data breach, it doesn’t mean that’s the only account that could be at risk of an account takeover (ATO). Other accounts in other sites could also be at risk if those accounts use the same login credentials. Thus, it’s not enough to just change the password of an account involved in a data breach. You also need to check other accounts that use the same credentials and change those as well.

Note: From this point onward, when we say ‘compromised accounts’, we’re referring to all accounts (across multiple sites) using the same password or login credentials.

Credential stuffing – an attack vector every business should be worried about

Failure to change passwords in compromised accounts can make those accounts vulnerable to what is known as a credential stuffing attack. Credential stuffing is a cyber attack that takes advantage of the fact that users reuse passwords across multiple sites. If a threat actor somehow gets hold of stolen credentials, he/she could use those same credentials to attempt an ATO on other sites.

Credential stuffing has become a much bigger threat now as people spend more time online and on mobile devices and, in turn, increase the number of sites and mobile apps they register to. The greater the number of sites and mobile apps each person uses, the greater the chances for a credential stuffing attack to succeed.

If your organization uses a public-facing website or mobile app, you should consider credential stuffing a serious threat because there’s always that possibility some of your users’ login credentials are exactly the same credentials they use on other sites.

When economics favor the attacker

The risk of any cyber attack is dependent on a couple of factors:

  1. The potential reward – An organization with high value digital assets (e.g. a large stash of personal information, a lucrative trade secret, etc.) will naturally be more attractive to cyber criminals than an organization with low value assets, and
  2. The cost to exploit vulnerabilities – When an organization’s vulnerabilities require minimal cost to exploit, they become a candidate for an attack.

Before cyber criminals launch an attack on a specific target, they consider all these factors first. Only if the economics are favorable to them will they decide to proceed.

For credential stuffing, the economics is just so overwhelmingly favorable to the attacker. The cost of entry is very low while the ROI is ridiculously high for this type of attack. To understand the economics at play here, download the short ebook:

Attacker Economics: Understanding the Economics Behind Cyber Attacks – What Makes Your Company A Prime Target?