Account Takeovers are happening regularly on virtually any website with a login function.
Credential Stuffing and Card Cracking are amongst the most commonly used Account Takeover techniques and each uses automated bots to gain brute force entry to an account.
- Credential Stuffing attacks trawl lists of leaked usernames and passwords, using bots to continually test combinations on multiple sites until they are successful.
- Card Cracking attacks use automated bots to match leaked usernames and dictionaries of passwords, until the code is cracked.
Usernames and passwords are acquired from mass data dumps that are readily accessible on the dark web. Each data dump can consist of millions of username and password combinations following years of data breaches carried out across multiple sites.
The challenge for businesses resides not only in the availability and low price point of data dumps, but consumer behaviour. With more passwords to keep track of, consumers are frequently reusing log in details across multiple sites and neglecting password updates for years at a time.