The holiday season is upon us and we know that along with the increase in shopping, celebrating, and well-wishing there is also, unfortunately, an increase in fraud this time of year. Retailers are especially hard hit as fraudsters try to “get lost in the crowd” and have their activities go unnoticed amid the volume of account logins, new account openings, shipping address changes, password resets, etc. that a retailer has to deal with. We know identifying account take over can be tough, and getting it wrong this time of year can cost you a customer long term. We also know companies are relying heavily on email to “authenticate” their customer’s activity. As a matter of fact, for the past few years, we’ve seen about 30% more criminal activity in November - January versus summer months (June - August). myNetWatchman has a service to identify compromised emails and accounts and to celebrate the upcoming launch of our Email Reputation portal in Q1 2025 we have a limited time offer for companies to get a portal account to use for the 2024 holiday season. For $500.00 you can get a single user account from now through January 31, 2025. You'll get: No commitment - you’ll be charged the low introductory cost just once. When the special ends on January 31, you can let us know if you want to upgrade to a subscription. You are limited to one user but you get unlimited use - check as many email addresses as you want, as many times as you want until this special ends January 31 Full scan of our repository of 30+ billion known breached credentials for every address you input Comprehensive summary of what we’ve seen criminals doing with the email address 90 days of history showing where a criminal tried the address, and whether or not they were successful For compromised emails we can even tell you what the bad actor searched for in the email.

Email accounts are highly valued and sought after targets for bad actors and myNetWatchman data shows it. Over the past 30 days, live data monitoring shows a daily average of 7.5 million illegitimate login attempts to access an email account, targeting an average of 2.5 million unique mailboxes each day. Access to an email account is valuable to fraudsters as it is a launching point for a multitude of other attacks. In Anatomy of Email Compromise we talked about what we see bad actors do once they’ve gained access to an email account. Today we are discussing the methods we observe bad actors using to gain and maintain email account access. Email accounts are particularly vulnerable when considering the confluence of these two factors: Consumers often reuse not only passwords, but credential pairs (a password and username/email used in combination). Billions of credential pairs have been compromised in data breaches. This makes it quite easy for bad actors to simply attempt accessing email accounts by using the email and password combination compromised in any data breach. Techniques bad actors use to gain access to an email account Credential Stuffing involves attempting credential pairs compromised in one or multiple data breaches against login pages of organizations unaffiliated with the data breach where the credential pair was compromised. Often, credential stuffing attacks target a large list of organizations where a consumer may have created a user account with the same credential pair. This a high-volume attack, typically executed by bots, with a low percentage rate of success. However, even a success rate of less than one percent on millions of attempts is fruitful. Credential stuffing attacks against email accounts take a more targeted approach. Many organizations have users create accounts and login with an email address rather than a username, so when a credential pair compromised anywhere includes an email address, that tells bad actors exactly where to attempt Account Takeover (ATO) against the email inbox – they just look at the email domain. When a bad actor knows a username that is not an email, they will often attempt the username as the email address root. For example, the username Bob123 would lead to ATO attempts against Bob123@gmail.com, Bob123@outlook.com, and so on. Phishing is a form of social engineering using manipulation and deception to get the victim to do what the attacker wants, whether that is clicking a link, downloading a malicious file or giving away information. Phishing generally refers to these social engineering attempts via email, while variations like SMiShing (SMS text message-based) and Vishing (voice-based phishing, via phone calls or voicemails) employ the same tactics via different delivery methods. These typically attempt to create a sense of urgency such as saying a transaction was made or an account is being shut down. These can be very convincing and mimic real brands or organizations the victim patronizes. If the victim clicks a link or downloads a file, it may be spyware that captures credentials they enter on their device. A link may instead go to what looks like a real login page, but in reality the victim is providing their login details directly to the bad actors. Spear Phishing is an advanced form of phishing where the attacker targets a specific individual within an organization. The attacker will research the target via public information, social media and more. Targeted phishing emails will purport to be from someone the target knows and the content of the email will be plausible. They may go as far as to simultaneously coordinate a SIM swap attack, ATO of their phone number, to receive authentication codes to and get around two-factor authentication. Maintaining access to an email account Because a victim’s mailbox is so valuable and useful to a bad actor, they will spend the (relatively low) effort to keep access to the mailbox. Mainly this entails deleting anything that comes into the inbox intended to tip the true accountholder off that their email may have been accessed by someone else. This includes email notifications of a login attempt or successful login from a new device, location or IP address. The bad actor can easily delete this from not only the Inbox, but the Trash folder as well. myNetWatchman data shows that these techniques work to maintain access to the account. To test this, myNetWatchman took a random sample of 100,000 email accounts known to be recently accessed by bad actors, and could see that 30 percent of them had been compromised for more than 2 years. Email Reputation can tell organizations if an email address is being targeted by credential stuffers, and to what extent. This information helps organizations better understand risk, and act accordingly, at the login and account creation events. Email Reputation not only tells whether a given email address is being targeted by bad actors, but also: How many different passwords have been attempted in tandem with this email Against how many different sites this email has been attempted How many credential stuffing attacks against this email have been successful (provided the correct password) The timeframe of these attempts If the email inbox was accessed by a bad actor, when and for how long or how recently What the bad actor is searching for in the mailbox, shedding light on what they are likely to target next There are many actions consumers can take to better protect themselves against email ATO and it starts with using unique and secure passwords. If a consumer is using a shared password, they should assume that password has been compromised with one of the accounts that use it. The best way consumers can fight back against credential stuffing is to ensure that when any account they hold is associated with a data breach, that compromised password cannot be used against them elsewhere. It would be great if all consumers took the measures to protect their accounts themselves, but we won’t hold our breath. In the meantime, Email Reputation alerts organizations when user credentials are being targeted or at high risk.

When a credential stuffer tests multitudes of usernames and passwords and even one is successful - you now have a customer who has suffered a data breach. Your organization, like most, probably has people working hard to make sure hackers don’t breach your internal systems. But do you have a similar level of protection against breaches of your customer accounts? Many organizations think credential stuffing is low risk, or figuratively throw up their hands, citing consumers’ poor password hygiene or third party data breaches as a “there’s nothing we can do” defense. This mindset can cost you reputation, customer confidence, and as we’ve seen recently, severe fines and legal costs. The $30 million settlement related to a class action lawsuit against 23andMe should serve as a wakeup call to organizations that they can be found financially liable for neglecting to prevent credential stuffing attacks. Most coverage of the event sparking the class action suit refers to the 6.9 million 23andMe customers whose genetic testing and ancestry data was accessed. But this data breach began with credential stuffing attacks using credentials that had been compromised in various prior data breaches - credentials which consumers were reusing with their 23andMe accounts. There are several key takeaways from this class action suit and settlement. First is the amount of the fine, $30 million, $25 million of which 23andMe believes will be covered by cyber insurance. It is hard to quantify the damages to consumers whose ancestry data was compromised. The defendants in the case argued that because traditionally sought after data, like Social Security numbers, weren’t implicated that the fine should be lower. Organizations need to consider the types of data and sensitivity of the personally identifiable information (PII) they maintain for their user accounts, and the legal or liability risks associated with unauthorized access to the data. Another key takeaway comes from accusations of the plaintiffs that 23andMe should have done more to protect the accounts. As part of the settlement, 23andMe agreed to mandate Multi-Factor Authentication (MFA) going forward. This may set a precedent that organizations are responsible for protecting user accounts even when those users do not protect themselves, leaving their accounts vulnerable to credential stuffing and account takeover by reusing compromised passwords. However, MFA isn’t a perfect solution. While MFA does protect accounts against Account Takeover (ATO), the reality is that consumers will not opt-in to using it and there will be significant churn or customer attrition if it is mandated. The bottom line is that consumers don’t want additional friction and neither do companies, because it means lower sales. Organizations need to consider more passive ways to protect against credential stuffing. Passive protections are the only method available when consumers refuse the friction of MFA, but they should also be used in addition to offering MFA as a way to more strategically and selectively present it. Bad actors know and exploit the fact that consumers tend to reuse passwords. That is why they systematically carry out credential stuffing attacks to identify where else a breached credential pair is used. myNetWatchman has unique data insights into credential stuffing attacks, as we see credential stuffing on a large scale and across some of the largest web properties. Every year we observe tens of thousands of companies and websites each experiencing thousands of credential stuffing attempts. In just the past 30 days there were over 3,000 companies that were targeted. Companies need to have a way to detect and stop credential stuffing attacks, and to remediate accounts that are taken over. myNetWatchman offers services to detect that these attacks are occurring and also what accounts are at risk or compromised. Our services can screen a credential whenever it is presented and cross-check against our repository of 30 billion compromised credential pairs to see if any are at risk. This is the passive protection organizations need to detect credential stuffing and avoid the costly headaches these attacks cause. These costs go beyond potential settlement fees like the $30 million one 23andMe is facing, but also include operational costs, downtime and brand damages. A 2017 study from the Ponemon Institute estimated the annualized cost of credential stuffing attacks to be $6 million on average when just considering prevention, detection and remediation (excluding fraud losses). The average cost of fraud related losses ranges from $500,000 to $54 million, depending on what percentage of accounts suffered a monetary loss as a direct result of the credential stuffing attack. Keep in mind that these numbers would be 29 percent higher if adjusted for cumulative inflation since 2017. Further, these estimates don’t include the harder-to-quantify losses such as brand damage and lost customer lifetime value. myNetWatchman’s Web Monitoring service alerts clients to on-going credential stuffing attacks so these attacks can be identified and stopped. User accounts implicated in the attack will be identified for remediation. Our AllCreds service focuses on prevention and remediation around credential stuffing, as clients leverage our repository of over 30 billion compromised credential pairs to know when compromised credentials are presented, whether at login, account creation or password change events. Our continuous live attack monitoring adds 15 million new compromised credential pairs each day. Companies are beginning to learn the hard way that credential stuffing cannot be ignored. Reluctance to use MFA means more needs to be done to passively protect user accounts. While cases as notable as the class action suit and settlement with 23andMe result in losses larger than most will experience with credential stuffing attacks, it should serve as a stark reminder that these are troublesome and costly attacks, and that the precedent has been set that organizations need to do more to protect user accounts from credential stuffing.

The email address is the most commonly used data point to validate that someone trying to access a system is the true account holder. When we create user accounts online, the email address is always collected, and it often doubles as our username. If we need to reset our password, if a login attempt is suspicious and the organization wants to notify us, or if a one-time passcode (OTP) is sent to validate it is really us, this is done by email much, if not most, of the time. We put so much trust in the email address, but how do we know that access to the email box hasn’t already been compromised? Consumer email accounts are high-value targets to bad actors because access to an active mailbox can be a launching point for so many other attacks. The email inbox provides insights into the financial institutions, online merchants and other organizations the victim interacts with online. There are many different attacks bad actors will attempt once they have gained access to an email address. It often begins with the bad actor curating a list of sites to target with credential stuffing attacks. They will search the inbox for order confirmations or any email that shows a customer relationship. Knowing that people commonly reuse passwords, the miscreant will try the same credential pair that allowed access into the email account at many other sites and services. If a username, rather than an email address, is used at login on other sites, then this username might be contained within an old email sitting in the inbox. If the email Account Takeover (ATO) victim uses a unique password for their email account, the bad actor’s tactics may shift from credential stuffing to targeting the victim’s other accounts through password reset process flows, which are primarily completed via links sent to the account email. It is also common for bad actors to change the contact email address on file so it is more difficult for the consumer to recover their account. As the bad actor makes these account changes to gain access, they cover their tracks along the way by deleting the password reset and account change confirmation emails that arrive in the victim’s inbox. myNetWatchman’s Email Reputation service allows you to see which email accounts are compromised. It gives companies the means to know not only if an email is compromised, but also how recently the bad actor was using the mailbox and what they were trying to gain. For example, in the last 30 days Bad actors using a compromised mailbox looked for… Because… Buy Now Pay Later (BNPL) services (such as Klarna, Affirm, etc.) They could take over the accounts and make unauthorized purchases Order confirmations, promotions, coupons They can find who the victim does business with to target them for more fraud “loyalty program,” “rewards” and “points” They can transfer or redeem the rewards or points crypto trading platforms like “blockchain,” “bitcoin,” and “onekey” (an open source crypto wallet) Crypto wallets and platforms are very high-value ATO targets, and they want to ultimately drain the balance website design and hosting services like SquareSpace, Wix, etc. These are good targets for ransom attacks where a bad actor takes control of a website and takes it down, threatening to delete it forever unless a ransom is paid password managers like LastPass, NordPass, etc. Those are the miscreant’s treasure chest of all the victim’s accounts Clearly, there is a lot of damage that can be done once a consumer’s email address has been taken over. While this is of course damaging to the victim consumer, it is also a major concern for any organization using this compromised email address as contact information. If an email address is actively compromised, it is no longer a valid means of performing two factor authentication (2FA) and cannot be used to complete password reset process flows. Further, organizations cannot rely on confirmation emails to say that an account has been accessed, a password was changed, or a purchase was made and trust that the true account holder will see this notification. The bad actor who has taken over the email account is waiting for it, and will swiftly remove it from the inbox. Knowing that an email account is actively compromised greatly changes the risk profile and renders useless some of the most common methods of confirming or authenticating login access and account changes. These are valuable insights that myNetWatchman provides to clients via our Email Reputation service. Any organization that relies on the email address for 2FA, for password reset flows, or just to notify and confirm that a purchase, login or account change was legitimate, will benefit from knowing if an email address is or might be compromised. Those who offer loyalty programs, maintain stored billing instruments, protect sensitive consumer information, allow purchases on credit or maintain any type of account balance that can be spent or transferred have an elevated ATO risk exposure and will be targeted. It is only a matter of time before ATO of an email account leads to ATO attempts against the many organizations with which this consumer does business or interacts with online.

We provide an alternative perspective on the myth that 2FA makes user credentials secure so you don’t need to detect compromised creds. Traditional security measures are proving insufficient in terms of protecting consumer accounts from takeover and in reducing friction in consumer eCommerce. The Fraud Practice and myNetWatchman present this free white paper: There is no Silver Bullet: User Credentials are not Secured with 2FA Alone , which sheds light on the limitations of two-factor authentication (2FA) and emphasizes the necessity of adopting more risk aware, user-friendly security solutions. Two factor authentication is a useful tool, but it does nothing to protect the first factor of authentication: the password. This gives a level of success to credential stuffing attacks even when 2FA prevents account takeover (ATO) by validating to the attacker that the credentials used are still valid. Further, consumers don’t want 2FA on all “interactions” and 2FA is used sparingly by consumers outside of the workplace and for online or mobile banking, so it doesn’t make sense for most organizations. Stronger protection and risk mitigation at the first factor are needed, and it’s an area where most organizations stand to improve. In this free white paper, misconceptions and challenges around 2FA are discussed along with alternative ATO detection and mitigation strategies that put more emphasis on protecting the first factor of authentication. One of the areas discussed is leveraging services that detect compromised credentials and credential stuffing attacks which can enhance security while maintaining a seamless user experience for most users who present low risk. These insights help protect against unauthorized access and reduce the need for broad user-unfriendly authentication steps that cause more friction and incur a nominal fee. By adopting more nuanced, passive security measures, organizations can better protect their users without compromising on user experience. This approach not only fortifies defenses against ATO attacks but also ensures a smoother, less intrusive login process for consumers. Download the free white paper today.

End users are at the source of every login. Companies can, and do, create mechanisms to encourage people to manage their credentials – requiring lengthy passwords, or passwords with special characters or digits. But humans, comfortable with repetition, follow patterns that fraudsters can recreate when testing for valid credentials. Consumers reuse passwords, and bad actors capitalize on that It’s well known that consumers reuse passwords. Our analysis of criminal behavior shows that they know that as well. For example, the credential stuffing attack against Company M showed nearly 10% of the successful passwords were also used successfully by miscreants at other sites (get the full case study document here ). Consumers are also reluctant to change passwords. Less than half of Americans would update their password after knowing it was compromised in a data breach. You can read our in-depth report on credential and password reuse here . Consumers change passwords in predictable ways If your password policy requires it, consumers may take the time to create a strong password with numbers and special characters peppered throughout the character string. Or, they may simply append a digit or character like “!” to the end of their “default” password. More complicated passwords are more difficult to remember, and consumers may have strong passwords that they use across multiple sites. They may rely on one strong password that meets nearly all password policies and reuse that across several different logins. Attackers mimic common user password changes to test password variants This behavior is seen all across myNetWatchman data and across our live monitoring of credential stuffing activity, and we see this applied to both passwords and usernames. When a cred stuffer sees a username and password credential pair compromised in a data breach, and they see that the password is insecure (i.e. alpha characters only), they will absolutely use variations of this password when they attempt to use it in credential stuffing attacks. Bad actors performing credential stuffing attacks are often sophisticated. They use bots or scripts to automate their attacks, including the use of tumbling and swapping techniques, which refers to making slight variations in a username and/or password. A seasoned attacker will do some research to ensure they know the specifics of the password policies of the organizations they are targeting with a credential stuffing attack. They will then plan and attempt variations of the compromised password with capital letters (often the first character of the password), numeric characters and special characters (often added at the end). Here are just a few examples of what myNetWatchman sees when miscreants test passwords. Note the slight variations to the passwords. It’s unknown whether these variants were obtained through breach sets or were created by the bad actor. However, for each of these usernames, at least one of the password variations (in some cases more than one variation) was successful, allowing the bad actor access to the user’s account. Password variations for Username 1 Password variations for Username 2 Password variations for Username 3 Password variations for Username 4 Tit@s1127 Tit@s1128 Titas1126 titas1126 titas1127 Titas1127 Titas11278 Titas1128 titas1128 Carol2002 carol2002 carol2002! carol2002? Carol2002@ carol2002$ Carol2002$ Carol20021 Carol2002123 MIlc_aeroger1 MILcaeroger-912 MILcaeroger1 MIlcaeroger1 milcaeroger1 Milcaeroger1 MILcaeroger1! MILcaeroger123 Milcaeroger123 MILcaeroger345 MILcaeroger912! Patyn3ta patyn3ta Patyn3ta* patyneta Patyneta*17 Patyneta*1703 patyneta123 Patyneta123 Patyneta2511 patyneta2511 myNetWatchman has been observing criminal behavior for more than 20 years. We see the bad actors testing password variations - incrementing numbers, changing case, adding special characters. And the miscreants are having success with these passwords, because they aren’t completely random. They are variations created from known habits of people creating and changing passwords. AllCreds is myNetWatchman’s credential screening service that lets you check any credential, any time, to see if it has ever been used or tested by a criminal. Our proprietary data repository has over 30 billion compromised credential pairs and grows by 15 million new credential pairs daily.

Many types of organizations rely on myNetWatchman to help protect against credential stuffing and account takeover attacks, but user account security is especially important for financial institutions (FIs). In this article, we’ll explore a recent credential stuffing attack against a financial institution, where myNetWatchman observed this attack as part of our continuous, real-time monitoring. Bad actors tend to repeat their attacks and attack patterns against many FIs, and the intent of sharing this case study is to help others recognize and defend against similar patterns when they see a credential stuffing attack. The credential stuffing attack detailed here occurred between June and August 2024, targeting a large financial institution with many consumer accounts. Let’s discuss some of the details of this attack and why these techniques and patterns are so common. For readers less familiar with the basics of credential stuffing attacks, please read our previous Blog Post on Credential Stuffing . It’s a high-volume numbers game. Credential stuffing attacks systematically test credentials (email or username and password combinations) exposed via data breaches and phishing attacks to see where else the same credential pair may be used. Although it is expected that there will be a large percentage of failures, the idea is to identify the credentials that successfully provide access to the account to extract value from this more refined list. In this credential stuffing attack, myNetWatchman observed over eight million unique usernames attempted in a 6-week period. Attackers cater to their targets. The bad actors behind this attack took into account the fact that FIs, including this one being targeted, do not typically use email addresses as usernames. Nearly all of the more than eight million usernames attempted during this credential stuffing attack were non-email usernames. The cred stuffing success rate is lower for FIs compared to eCommerce retail. However, the damage or impact of account takeover is much greater for FIs than it is for eCommerce merchants. The success rate of this credential stuffing attack was 0.1 percent , or about eight thousand of the accounts tested. This FI supports two factor authentication (2FA), but was not presenting it for all logins. We are uncertain as to how many successful login attempts from the cred stuffing attack were presented or stopped by 2FA. However, even when 2FA stops the bad actors from gaining access to the account, they have confirmed that the credentials are valid. From that point they may use phishing techniques, SIM swaps or other techniques to gain control of the email address or phone number used for authenticating with 2FA. You are rarely the first target of a credential stuffing attack. Where AllCreds provides myNetWatchman clients deep value is in knowing that credentials being attempted against them are not only compromised, but have been seen in other credential stuffing attacks. As is typically the case, a majority of the successful (able to advance to be presented 2FA) credential pairs attempted against this FI were seen previously. Nearly nine-in-ten, or 86 percent , of successful credentials used in the cred stuffing attack were previously observed by myNetWatchman. You often aren’t the first target in your industry either. More than one-quarter, 26 percent , of the valid credentials used in this credential stuffing attack were previously observed by myNetWatchman as being used against other FIs. We know that consumers have a tendency to reuse passwords. Thankfully, many realize that they should use a more secure password for access to online banking than they do other online accounts. It may be that many consumers reuse the same password across multiple online banking logins and fraudsters are exploiting this fact by testing these compromised credential pairs across multiple FIs. Or it may be that the bad actors mine their compromised credential data set for non-email usernames and strong passwords, as these are more likely to be used for online banking. They don’t know what FIs the account holders bank with, so they target many with credential stuffing attacks. It’s not a matter of if, but when. FIs will see credential stuffing attacks because the ability to take over online banking accounts is valuable to fraudsters. 2FA may prevent account takeover, but the successful credential stuffing attack is valuable to the attackers who may later target that account holder with phishing or other schemes to try and beat or circumvent 2FA. FIs need to be aware when credential stuffing attacks are occurring and know what online banking consumer accounts are using compromised credentials. myNetWatchman offers unique visibility into credential stuffing attacks, specifically as it relates to FIs. It is extremely valuable to know not only that the presented credentials are compromised, but that they are actively being tested. It is even more valuable to know that these credentials are actively being tested against other FIs. myNetWatchman provides this visibility which offers high-quality and meaningful risk signals, all built on our continuously growing data repository containing over 30 billion exposed credential pairs that protects over 550 million users for our clients.

Whether you’re a professional, a business owner, or an end user, here are common cybersecurity terms you should know. 2FA Two-factor authentication. An authentication process in which the user who is authenticating needs to provide more than one type of evidence (factor) to verify their identity. For example, after entering a username and password (one factor), they are prompted to provide a code (second factor) received via email or text message. A two-step MFA. Account Online profile associated with a username that allows a user to conduct transactions and a service provider (e.g., a streaming service or online retailer) to manage your experience. For example, you may have an online bank account, an account at a retailer like Amazon, an account at a streaming provider like Netflix, and so on. Actor, bad actor, criminal actor The person or entity doing an action or activity. In computing, “actor” is used because it can represent an unknown person (a criminal actor), an organization, or a computer process. In cybersecurity, often used interchangeably with miscreant, criminal, fraudster. More...

Consumers are frequently reusing passwords & credentials according to a myNetWatchman review of criminal breach activity. myNetWatchman data shows that criminals successfully used 68 million credentials (usernames & passwords) to access consumer accounts. Consumers re-used those credentials for multiple accounts, and more than 8 million were found by criminals to be valid (successful) at more than one site. Others report that 23 percent of all logins are ATO attempts while more than half of consumers reuse at least one password and the average direct financial cost of ATO to an organization is nearly $300 per account. The widespread availability of consumer credentials from data breaches combined with consumers’ tendency to reuse passwords across multiple sites and logins leaves organizations exposed to credential stuffing attacks. myNetWatchman’s Credential and Password Reuse study leverages insights from our proprietary data that captures fraudster use of over 15 million new credentials per day, combined with public data sources and findings related to account takeover (ATO) and password reuse. Just as a bad actor will test compromised payment card numbers to see which are active then use those cards to make fraudulent purchases, a bad actor will use a botnet to test a trove of username and password combinations across many sites to see where the same credential pair is also used. While we know that passwords are inherently insecure, organizations must be careful about the level of friction presented at the login event, considering how and when step-up authentication is required for account access. Like fraud prevention at the transaction event, this must strike a balance between risk mitigation and user experience, relying on risk signals to determine when more friction is warranted. Credential stuffing is the path of least resistance for ATO attacks, and simply put, ATO events are damaging and expensive. myNetWatchman’s study on Credential and Password Reuse discusses the data and trends around credential stuffing, how to detect these attacks and considerations around balancing ATO protection and user experience. Download this free white paper to learn more.

In June, cloud services provider Snowflake along with Mandiant, a cyber security firm, notified at least 165 Snowflake clients about potential account compromises. Data breaches at Santander Bank, Ticketmaster and QuoteWizard were linked to the Snowflake cloud storage and analytics accounts these organizations hold, as reported by Wired and Verge . Bad actors used employee credential stuffing to attack companies using Snowflake to steal their company’s customer data. Snowflake has numerous clients and holds a large amount of PII data for those clients. Snowflake clients were likely not even aware these attacks were occurring. And Snowflake is only one of many third party providers in this space. It’s becoming more common for companies to use third parties like Snowflake to hold sensitive data and increases the need to expand your visibility into where you may be vulnerable for account takeover. Mandiant traced the issue to a hacker group leveraging stolen credentials, some going as far back as 2020, from infostealer malware. While this cyber attack has primarily been referred to as the Snowflake data breach in the media, it would be more accurately described as a credential stuffing attack targeting companies using Snowflake, using credential pairs compromised by malware. This is typical of credential stuffing attacks. Our web monitoring services alerts our clients to their exposure from over 50 million credential stuffing attacks a day, across thousands of companies with over 50 attacks each day impacting 1m or more accounts. Bad actors capitalize on poor password hygiene and frequent credential password reuse among users, using systematic credential stuffing attacks to test passwords compromised by malware or a third-party data breach across other systems where these compromised credential pairs may also be used. Business user accounts get compromised, just like consumer accounts, and many of these account holders reuse their passwords if not full credential pairs. Organizations need to ensure their employees, vendors and contractors are not using compromised credentials, as they can be used to access business services (as in the case of credential stuffing targeting Snowflake accounts) and sensitive data. AllCreds is myNetWatchman’s compromised credential screening service. This service can be applied at account creation, but in the wake of attacks like those targeting Snowflake accounts, it should be used to identify compromised credentials in an organization’s Active Directory. We call this AD Audit. AllCreds screens the credentials of all users and identifies which are known to be compromised. Those flagged as compromised should then be required to change their passwords, preventing account takeover via use of the stolen credentials, similar to what Ticketmaster and others experienced with their Snowflake accounts. myNetWatchman is trusted by top firms around the world to help detect, prevent and recover from compromised credentials. It doesn’t matter how they were compromised or that the password is used across multiple accounts or services for a given user – when compromised credential pairs are presented, it is up to the organization seeing the credential stuffing attack or account takeover (ATO) attempt to stop unauthorized account access. Here’s how we help: myNetWatchman’s credential web monitoring service : Benefit from myNetWatchman’s ten-plus years of live data surveillance, proprietary and constantly growing data set of over 30 billion exposed credential pairs and network of 550 million protected users. Leveraging live surveillance, myNetWatchman alerts clients of bad actors’ activity targeting your company or domains, including where your clients log-in or access your services. Know whether it’s an isolated credential stuffing or ATO attack targeting one client’s account login page, or a widespread attack targeting many clients across the various URLs and pages where they authenticate to access your services. AllCreds is myNetWatchman’s compromised credential screening service . Risk and reputation scoring is provided on specific users (customers or employees) based on whether we see their credential pairs implicated in data breaches or successfully used by bad actors on other sites. Companies use these insights to strategically present forms of step-up authentication or to require password resets. Chances are that compromised credential pairs will be used or tested elsewhere before they are attempted against your users or site. myNetWatchman brings this information to light so you can act accordingly. Not just compromised passwords, but credentials pairs. Not just credentials that have been breached, but ones that are actively being used. About myNetWatchman – Georgia based myNetWatchman has been providing cyber fraud intelligence data for more than 20 years to retailers, financial services, insurance, and other industries. With over 10 years of live data surveillance, the company manages a continuously growing data repository containing over 30 billion exposed credential pairs and protects over 550 million users for their clients.

Kevin Beaver, Cybersecurity Consultant at PrincipleLogic, recently added myNetWatchman’s Active Directory Audit tool from our Compromised Credential Screening solution to his vulnerability and penetration testing toolset, and he says it " can pay huge dividends ." The Active Directory audit tool helps clients, consultants and security professionals review employee accounts on Active Directory to identify any that have compromised credentials (username and password). Fast and easy to use, the tool helps companies speed up the detection of compromised credentials to prevent account takeover risk and attacks that could lead to data loss or infection with malware like ransomware. Check out his post Find at-risk internal user accounts with myNetWatchman’s Active Directory Audit tool for the full story on how he used it to find holes in his customers' password security. He found Active Directory Audit " both revealing and enlightening " - you can too.

myNetWatchman analyzed the 48 million credentials and 533,000 successful account takeovers from a large-scale credential stuffing attack against our repository of over 30 billion compromised credential pairs. This analysis was performed after-the-fact, but had myNetWatchman’s AllCreds service been applied proactively, 91 percent of the account takeovers could have been stopped, as they used credential pairs we had previously identified as compromised. In this comprehensive case study, myNetWatchman analyzed data from a client credential stuffing attack that spanned four months using nearly 48 million compromised credential pairs. This large-scale attack took place in early 2024 against an omni-channel retailer with a large, global online sales presence, referred to as “Company M.” Company M faced a threat many online organizations see frequently: credential stuffing attacks. Many consumers have poor password hygiene, reusing passwords or credential pairs and making it easier for criminal actors to find success with account takeover attacks through credential stuffing. Credential stuffing involves systematically testing lists of compromised credential pairs, which are abundant as data breaches occur frequently and are often large. The credential stuffing attack against Company M exemplified the severity of poor consumer password hygiene. Out of tens of millions of unique credential pairs tested, over half a million customer accounts were able to be successfully accessed — a 1.13 percent success rate. The overall success rate, including repeated attempts, was 1.7 percent. myNetWatchman’s analysis of the compromised credentials used against Company M found that more than nine-tenths of the successful logins involved credential pairs that were previously tested on other sites. Leveraging myNetWatchman’s live data surveillance and proprietary data repository of over 30 billion exposed credentials, our analysis showed that the compromised credentials presented at Company M’s site had been used or tested across thousands of other websites first. Using AllCreds as a preventive tool at login and password change to force customer step-up authentication and to change their passwords when they become compromised would have prevented 91% of the bad actors successful logins. With AllCreds , organizations can fight poor password hygiene and credential stuffing attacks by knowing not only if the presented credentials are compromised, but if they are actively being tested. This allows for strategic use of step-up authentication, such as two-factor authentication (2FA) or requiring a password change, while maintaining a seamless user experience for legitimate users.