How Cybercriminals Abuse OpenBullet for Credential Stuffing

Cedric Pernet, Fyodor Yarochkin, and Vladimir Kropotov write: … The trend for access-related cybercrime, such as credential stuffing, is steadily rising with no sign of slowing down. According to an Akamai report, there has been a total of 88 billion credential stuffing attacks from January 2018 to December 2019. Credential stuffing, a type of a brute-force attack that makes use of botnets to access websites and online services using stolen credentials, allows financially motivated actors to gain unfettered access to victims’ bank accounts and sensitive information. Cybercriminals also profit from stolen credentials by selling them in underground forums and markets. As the business of acquiring unique credentials continues to become more lucrative, cybercriminals are enriching their attack tools and techniques by abusing legitimate software for nefarious purposes. Read more on Trend Micro.

FR: CNIL Fines a Data Controller and Its Processor 225,000 Euros for Security Violation in Connection with Credential Stuffing

Hunton Andrews Kurth writes: On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned. Read more on Privacy & Information Security Law Blog.

Over 300K Spotify accounts hacked in credential stuffing attack

Lawrence Abrams reports: Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources. For years, users have complained that their Spotify accounts were hacked after passwords were changed, new playlists would appear in their profiles, or their family accounts had strangers added from other countries. Read more on BleepingComputer.

UK: Tesco issues 600,000 new Clubcards after credential stuffing attack

Kalila Sangster reports: Tesco (TSCO.L) is issuing new cards to 600,000 Clubcard account holders after discovering a security breach. The supermarket said some customers may have fallen victim to online fraud after a database of stolen usernames and passwords from other platforms had been tried out on its website. The use of the stolen data may have been successful in redeeming Clubcard vouchers some cases, according to the retailer. Read more on Yahoo! And no, don’t blame Tesco for this, although perhaps we should ask after how many attempts they lock an attempter out. But ultimately, this is due to people reusing login credentials across sites.  Sometimes, we really have to take some responsibility for making it too easy for attackers.

Tax Returns Exposed in TurboTax Credential Stuffing Attacks

Sergiu Gatlan reports: Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack. A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site. Read more on BleepingComputer. It’s 2019.  Why is this still a thing? Here is Intuit’s notification to Vermont: