Password and username re-use is major threat to enterprise security.
That's according to a recent study by Digital Shadows, a digital risk management company, which unveiled research into some of the main techniques cyber criminals are using to target companies, using stolen credentials that companies re-use across a variety of sites and online forums.
The report also outlines what measures organisations can implement to protect against such attacks.
It reveals cyber criminals are increasingly turning to credential stuffing tools to automate attempts at account takeover.
Digital Shadows says this is a type of brute force attack, whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. Based on configurations, the most common targets for these attacks are the gaming, technology, broadcasting and retail sectors, it explains.
Last year, Digital Shadows found 97% of businesses in the 'Forbes 1000' had their valuable credentials exposed, usually by employees using the same details across multiple sites and platforms. Now, criminals are recognising that employees often have poor username and password discipline, and use these in mass automated credential stuffing attacks aiming to gain access to corporate networks.
"Many organisations are suffering breach fatigue due to the huge numbers of credentials exposed via not only high-profile incidents like those suffered by Myspace, LinkedIn and Dropbox, but also from tens of thousands of smaller breaches," says Rick Holland, VP for strategy at Digital Shadows.
"But, it is critical that businesses arm themselves with the necessary intelligence and insight to manage their digital risk and prevent this problem credential exposure from escalating into an even more severe problem."
The report also suggests while multi-factor authentication can help to protect organisations and their customers from account takeovers, it cannot be seen as a silver bullet to solve the problem of account takeovers.
"Enterprises, and the companies that work for and with them, need to be better prepared for this sort of brute force attack," adds Holland.
Share