A total of 500 million Zoom accounts are sold on the dark web thanks to "fill in credentials".
It is a common way for criminals to access online accounts. Here is what this term means and how you can protect yourself.
It starts with databases and leakage Password
Attacks on online services are common. Criminals often exploit security flaws in systems to obtain usernames and password databases. Databases of stolen login credentials are often sold online on the dark web, with criminals paying in Bitcoin for the privilege of accessing the database.
Let's say you had an Avast forum account that was hacked in 2014. This account was hacked and the criminals may have the username and code your access to the Avast forum. Avast contacted you to change your password on their forum, so what's the problem?
Unfortunately, this can be bypassed-but not unless you're a techie who knows what he's doing. Suppose the login details for the Avast forum were "you@example.com" and "gamatoPassword". If you are logged in to other sites with the same username (your email address) and password, any criminal who obtains leaked passwords can access these other accounts.
Monitoring credentials in action
"Credential stuffing" involves the use of these databases by leaking connection information and attempting to connect to other Internet services.
Criminals obtain large databases of username and password combinations that have been leaked - often millions of login credentials - and try to link to other sites. Some people reuse the same password on multiple sites, so something will fit. This can generally be automated with software, quickly testing many connection combinations.
In other words, "hackers" fill in all these login credentials on the login form and see what happens. Some of them are sure to work.
This is one of the most common ways for hackers to hack online accounts these days. In 2018 alone, the Akamai content network recorded approximately 30 billion attacks with credentials.
How to protect yourself
Η προστασία σας από τη συμπλήρωση διαπιστευτηρίων είναι πολύ απλή και θα πρέπει να ακολουθείτε τις ίδιες πρακτικές better safetyς κωδικών πρόσβασης που συνιστούν οι ειδικοί ασφαλείας εδώ και χρόνια. Δεν υπάρχει μαγική λύση – απλά καλοί κωδικοί πρόσβασης:
- Avoid reusing passwords: Use a unique password for each account you use online. This way, even if your password is leaked, it cannot be used to link to other sites. Intruders may try to fill out your credentials on other login forms, but they will not work.
- Using a Password Manager: Storing strong unique passwords is almost impossible if you have accounts on several sites and almost everyone does. We recommend that you use a password manager like KeePass who will "remember" the passwords for you.
- Enable two-factor authentication: With two-step authentication, you need to provide something else - such as a password generated by an app or sent to you via SMS - each time you link to a website. Even if an attacker has your username and password, he or she will not be able to log in to your account without this password.
- Receive notifications in the event of a data leak: With a service like Have I Have Pwned ? you can receive notice when your credentials appear in a leak.
How services can protect against credentials
There are many ways to protect online services from attacks with credentials.
- Scan Database Leaks for User Codes: Facebook and Netflix scan leaked databases for passwords that exist on their own services. If there is a match, Facebook or Netflix may ask the user to change their password.
- Two-factor authentication offer: Users should be able to choose a two-factor authentication for the security of their online accounts. Particularly sensitive services can make operation mandatory.
- CAPTCHA requirement: If a login attempt seems strange, a service may require you to enter a CAPTCHA code that appears in an image or by clicking on another form to verify that a person - not a bot - is trying to log in.
- Limit repetitive connection attempts: Services should try to block bots from attempting a large number of connection attempts in a short period of time space. Modern sophisticated bots may try to connect from multiple IP addresses at the same time to disguise their efforts.
Bad password practices - and, to be fair, insecure internet systems are very easy to break. So it is no wonder that many companies in the technology industry want to develop more secure systems without passwords.
