Hackers are conducting "credential-stuffing" attacks on Americans over 87 million times every day, according to a blog post by a U.S-based VPN provider.
Atlas VPN (opens in new tab) distilled data from publicly available studies summarizing research by security firms Akamai (opens in new tab) and F5 (opens in new tab). The two security firms found that credential-stuffing attacks are quickly growing in the U.S., with 3.6 million taking place every hour.
Atlas VPN says that credential stuffing is the rise due to the high number of data breaches in the past few years.
- Best VPN: pick the ideal provider for privacy and geo-spoofing
- Antivirus: stay protected when online with the best software
- Just in: Windows 10 May update lets you remove its most annoying feature
Credential stuffing -- which represents 44% of all financial-services attacks -- are when cybercriminals systematically try to gain access to personal or company accounts by using credentials stolen in past data breaches involving other accounts.
Credential stuffing works for one simple reason: because people reuse passwords. If you use strong, unique passwords for each and every online account, and keep track of them with one of the best password managers or other method, then credential stuffing will not be a problem for you.
Victims of successful credential-stuffing attacks can not only experience financial loss, but if the hacker gets hold of personal information, they can also fall victim to identity theft.
Between December 1, 2017 and November 30, 2018, Akamai observed nearly 64 billion attempted credential-stuffing attacks in the U.S. Presumably, most of them were not successful, but many were.
Countries such as India, China, Canada, the U.K., Brazil, the United Arab Emirates, Australia, Italy and Switzerland accounted for only 16.9 billion credit-stuffing attacks combined in that period, according to the Akamai report.
That's just 26.4% of the total number in the U.S., a discrepancy that Atlas VPN attributed to a higher number of leaked records in the U.S.
- Read more: Americans, keep your data safe with the best US VPN
Two-factor authentication could be the answer
Rachel Welch, COO of Atlas VPN, said: “Individuals that wish to protect themselves from credential-stuffing attacks should set up two-factor authentication [2FA] whenever possible."
“When hackers discuss credential stuffing attacks on the dark web, they often complain that two-factor authentication is the biggest roadblock to a successful cyber-attack.“
That's true, and we recommend turning on 2FA whenever possible as it helps protect your accounts from several different kinds of attacks. But not reusing passwords is even simpler, and will stop credential stuffing dead in its tracks.
Those sources included findings that online criminals often need automated credential checkers (costing $150) and network proxies ($250 per week) to help carry out these attacks, and that cyber criminals are selling hacked eBay, Amazon and PayPal accounts on the dark web for as little as $3.50, $2 and $1 respectively.
- Read more: Stay protected for less with the best cheap VPN