The frequency of credential dumps popping up for sale (or even for free at times) has increased at an alarming rate over the last few years. The reason this poses such a great threat to security is because of a technique known as "credential stuffing", in which cybercriminals will take a list of credentials and through an automated process try all of the usernames and passwords within it against a large number of different website logins. A recent security.org study showed that 72% of users will recycle their passwords in various places, up to 4 times or more each. When you consider that figure in relation to the fact that this year alone there has been one particular series of 5 password dumps which contained approximately 2.2 billion usernames and passwords between them, the number of vulnerable or insecure accounts out there waiting to be compromised is absolutely staggering.
I recently had a friend post on social media looking for suggestions because she thought her Instagram account was being / had been hacked. Being that I work in the cybersecurity industry, I immediately messaged her to begin investigating what signs she had that her account might be compromised. She told me that she’d received an e-mail from Instagram informing her that they had received an attempt to log into her account from a device which had never logged into it before, and asking her to authorize that login. I explained to her that, as this e-mail was a request to authorize the successful login, this was likely an incident of credential stuffing. I applauded her for having MFA enabled on her account, as without it she would have had a much bigger headache on her hands (as she wouldn’t have received this particular e-mail if they didn’t have the correct username / password). I further advised that she change not only the password for her Instagram account, but also for any other logins which shared the same password, using unique passwords for each account (managed by a password manager) and if possible, review the “active sessions” within those services for anything that looked suspicious.
This is one of a handful of reasons that MFA (“multi-factor authentication”) is crucial. MFA is the idea of adding another layer of security to ensure that you, and only you, are able to log into an account. It typically involves either sending a code to your cell phone number (or an app on your phone) which you have to input, or some sort of biometric data, after you input your password. Examples of the most common “factors” are:
Something you know:
Something you have:
- Cell phone
- E-mail account
- Other physical peripheral device
Something you are:
- Facial pattern
- Retinal scan
Now, MFA is something that has been around in certain use cases for many years. I remember as a kid, my father had a small device on his keychain called an “RSA SecurID” which had a simple LCD screen displaying a 6-digit number that changed every 60 seconds. Any time he wanted to connect into his company’s network over the public internet, he was prompted to enter that number after his username / password. That said, MFA is becoming an option in more and more online consumer services in some form or another, and I strongly advise leveraging that option when possible.
To look through a list of online providers in various categories and whether or not they employ MFA, you can visit https://twofactorauth.org