Greetings from Brussels!

There have been multiple examples of "credential stuffing" referenced in the media lately. For those unfamiliar with the term, credential stuffing is the automated injection of breached or dumped username/password pairings in order to fraudulently gain access to user accounts across different web services.

Transport for London recently experienced such an attack that resulted in its online Oyster smartcard system being pulled offline for two days; this meant that customers were unable to access their accounts either to check their balance or credit their travel cards. TfL initially cited "performance-based issues" before clarifying that their system has been compromised.

According to TfL, a small number of accounts were accessed “after their login credentials were compromised when using non-TfL websites.” In other words, the customer intrusions were the result of those individuals who used email address and password combinations for their Oyster accounts that were used for one or more hacked websites. It emerged later that only 1,200 customers were affected by the breach. TfL has stated that no customer payment details were accessed and that ultimately their network was not compromised. However, 6 million online users were also affected by the disruption to the online service. Not a small issue — customer care must have been inundated with commuter complaints. TfL said they were in touch with the National Cyber Security Centre, as well as the ICO.

The Daily Dashboard recently reported on a separate credential stuffing incident at U.S.-based State Farm Insurance. This is perhaps more alarming as it involves an insurance company. Here, too, no actual fraudulent activity was detected in those accounts that were affected.

This hacking technique is on the rise, and the extent of "credential extraction" that has happened over recent years through any number of breaches means that digital services are increasingly at risk from the credential stuffing phenomenon: arguably a relatively simplistic way to compromise websites and user accounts. For such a simple technique, credential stuffing is frustratingly difficult to combat. Moreover, the key culprit or willing accessory — if you like — in this stuffing debacle is really "ourselves"; it is simply human weakness to use repeat logins and passwords for multiple accounts. The best way to protect against credential stuffing attacks is to use unique passwords for each of your digital accounts. Often, this is more efficient with a password manager system and two-factor authentication when available. I also refer to my notes back in June when I discussed the newly expected privacy features of “Sign in with Apple” under iOS13, which will include randomly generated email address IDs for the purpose of logins.

The dangers of credential dumping are not only restricted to obtaining access to your online accounts along with personal and or confidential financial data. The end result can also potentially lead to unbridled access to your devices and possibly shared networks for other nefarious purposes and transactions with far-reaching consequences. And while companies are constantly improving their detection and blocking of credential stuffing attempts, there is no foolproof way of defending against such attacks. The onus is largely on the user, to think smart and own their privacy controls.