Security News Survey – February 15, 2019

Credential stuffing attacks are on the rise thanks to a new treasure trove of stolen user data.


This week, we saw several data breaches involving compromised accounts where user data was exposed following an account takeover. These data breaches are known as credential stuffing, a type of attack that is becoming increasingly problematic for companies and consumers. A credential stuffing data breach occurs when hackers automatically feed large numbers of username (usually an email address) and password combinations acquired through other breaches to fraudulently obtain access to user accounts. Hackers take the accumulated data from one site and use it on another in an effort to collect or steal more important information, such as financial data. If successful, the cyber thieves are likely to post the personal account information for sale on the dark web or hold it for ransom.

Thankfully, the credential stuffing attacks that took place this week were not as bad as they could have been, but let’s take a look at a few anyway.

Hearts were broken when some OkCupid user accounts are compromised

On Monday, February 11, reports surfaced from users of the popular online dating site, OkCupid. Users complained that their accounts had been hacked, while a spokesperson for the app claimed there had been no security breach and downplayed it by saying that “all websites constantly experience account takeover attempts” and that there wasn’t a story here. On the site’s Help page, they noted how account takeovers happen and why some users are likely to become victims: by using the same password on multiple sites or services. Cybersecurity professionals would agree with this, and we urge people to use unique username/password combos for different logins.

As one chief information security officer commented, the OkCupid breach “highlights the need for consumers to practice better cyber hygiene, for example using a password manager…” That is certainly one way to avoid becoming a victim to credential stuffing, and there are many password managers out there that are free to use, such as LastPass or Password1.

At the time of writing this blog, OkCupid has not officially acknowledged the incident, but an unrelated vulnerability with their app has been discovered and could lead to serious consequences.

Dunkin’ Donuts suffers their second attack in less than three months

In what some reports are calling the “incident of the week,” the popular coffee shop and donut chain became a victim of another credential stuffing attack. The first attack was reported in late November 2018 when Dunkin’ Donuts alerted owners of DD Perks rewards accounts that their personal and profile data make have been accessed by hackers. On February 12, the chain announced that hackers had once again gained entry to DD Perks using user credentials exposed on other sites. This time, it appears hackers weren’t after user information but rather the accounts themselves as the accessed accounts are now being sold on the Dark Web.

Unlike OkCupid, Dunkin’ Donuts has not only notified affected users of the attack but is doing everything thing they can to prevent another one from happening in the future. However, since credential stuffing attacks are not easy for companies to prevent, that’s easier said than done. This emerging type of automated cybersecurity threat is not always detectable because it’s not recognized as being malicious. Additionally, as these attacks increase, the stolen login credentials are being shared over and over, making it easy for almost anyone to access.

620 million stolen accounts put up for sale on the Dark Web

Credential stuffers out there will be happy to know that a new treasure trove of credential fodder has been made available. This week, hackers amassed 620 million private records and then dumped them on the Dark Web. The stolen accounts are from 16 different websites including MyFitnessPal, who suffered a massive data breach last spring, photography site 500px, HauteLook, Whitepages—to name a few. On Valentine’s Day, CoffeeMeetsBagel, a dating app similar to OkCupid, disclosed they had suffered a security breach and data stolen was apart of the 620 million records posted for sale. Based on sample account records shared with The Register, the records are legit and primarily contain account holder names, email addresses, and passwords. Payment and bank card information is not exposed in the listings.

In most cases, the affected sites have alerted their users of the attack and data dump, and have already done password resets on their behalf. Some sites even took their systems offline as soon as they were made aware of suspicious activity to prevent further exposure. The huge amount of data pulled from all of these sites serves as a reminder that it’s important for online users to change their passwords often and not use the same ones across different websites. This type of leaked data is how credential stuffers stay in business.

To recap, credential stuffing attacks are on the rise and, in the span of only a few days, we saw several instances of this type of threat taking over major websites that likely thought they were protected but found out they weren’t protected enough. While it may be difficult to prevent these attacks from happening, there are steps that both consumers and companies can take to mitigate the impact of an attack. As suggested, users should avoid reusing the same passwords, and they should also create stronger passwords that are not as easy to crack. Websites can require multi-factor authentication and a multi-step login process, making it harder for a would-be hacker to validate a user’s credentials. Not allowing emails to be username is another mitigating measure.

When a credential stuffing attack cannot be prevented, the right security solution can at least detect an attack. Interset UEBA can surface unusual, early-stage behavioral anomalies to help organizations detect threats and quickly see a compromised attack. To learn more, contact us to set up a meeting and see a demo.