Password Reuse & Credential Stuffing

I recently did an interview with @campuscodi of ZDNet that can be read here Disqus & Kickstarter hacker warns against password reuse. There’s a few things that I want to expand on that wasn’t fully covered and give a couple of scenarios. It seems like it’s such an obvious and basic security practice to never reuse passwords. I’m sure most of us have that one password that we use on websites that we don’t really care about. I’m talking about the Netflix password we might share with our friends and family, a food delivery service, or some forum or game that you forgot you signed up for.  These websites and databases get breached daily. If you take a look at HaveIBeenPwned you probably notice that your e-mail address or username is in multiple databases that have been hacked.

reuse

Scenario: You’re an employee at a company that a hacker is targeting.

I want to preface this by saying this is strictly a scenario using breached databases and the reuse of passwords. The first thing a hacker would do is gather as much intel as possible about the employee. We’re only going to use three criteria; name, username, and e-mail address. Once those are collected, it’s as simple as searching those three fields into a website to find every username and email address you’ve ever used along with every known password. From there we would credential stuff any website that could possibly give us more info, a dropbox account, a project management system, a ticket based system, or any account that would have your phone number attached. Without giving a complete blueprint there’s only a couple more steps to successfully infiltrate or breach the employee’s company who the hacker was targeting. This is why it is absolutely pertinent to not reuse passwords and to not use a common pattern with your passwords.

And then there’s 2FA which might seem secure, but you’re still at risk of getting SIM hijacked. While I don’t think there’s much you can do to prevent this from an experienced social engineer, it’s still an extra layer of protection that I would highly recommend.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s