Someone logs in to a site or app, they have the right password but how can you tell if it's the real user or an attacker using a stolen password?
This is a question that we’ve spent almost 2 years talking about every day and recently it’s becoming a hot security topic with developers. If you haven’t come across this issue yet it‘s likely you will during 2017.
Verizon’s 2016 Data Breach report revealed that 63% of confirmed data breaches involved leveraging weak/default/stolen passwords.
Developers and operations teams are starting to worry about account security in their apps due to the enormous amount of usernames, emails, and passwords that have been hacked and dumped online. During 2016 there has been a 3x increase in these dumps, with numbers heading into the billions.
Just last week Yahoo! reported another 1 billion records were stolen. This is in addition to 500 million that were reported earlier in the year. Now, there are plenty of jokes going around questioning if Yahoo! even has 1.5 billion users, but this is serious stuff and it's fuelling another round of attacks.
Given that passwords are being dumped, the big problem here is not the strength of the password, but the fact that a large majority of people re-use passwords for multiple apps and services.
This behaviour makes it easy for attackers to take dumps of username/password combinations and automatically test them against popular or high value targets. Think about your email, online shopping accounts, business tools, or even your bank.
Once an account has been compromised the attacker may take advantage by stealing money, making purchases, or ransoming data. However a more common tactic is for the attacker to sell the verified username/password on the dark web. Confirmed account credentials tend to sell for a lot more than skimmed credit cards these days, and so attackers are following the money.
In the past it’s been common for app vendors to blame users for having weak passwords if an account is breached. However times are changing. It’s now accepted that developers need to do more to help users protect their accounts. It’s a win/win situation for both app vendors and their users with protection from data and financial loss.
Find out more about how to use ThisData APIs to detect account takeover and help users protect their accounts