Content delivery network Akamai is calling attention to a form of identity theft called “credential stuffing,” which impacted millions of subscription video, music, and gaming accounts in 2018. In credential stuffing, hackers use automated programs and stolen account information to attempt access to other online sites. The attacks can be successful when people use the same password for multiple accounts. Hackers often target streaming services during these attacks since breached accounts can be sold or used for video piracy.
According to Akamai’s research, three massive credential stuffing attacks on video services in 2018 occurred after data breaches. That shows hackers were testing stolen IDs before selling them. The three attacks ranged from 133 million to 200 million login attempts.
Akamai discovered video tutorials online that show novice hackers how to perform credential stuffing with step-by-step instructions. The U.S. is the leading country originating credential stuffing attacks, followed by Russia and Canada. For consumers, the best defense is ensuring they use different usernames and passwords for every account.
“Many accounts compromised via credential stuffing will sell for as little as $3.25 USD,” the report notes. “These accounts come with a warranty: If the credentials don’t work once sold, they can be replaced at no cost, which is a service sellers offer to encourage repeat purchases. The reason this service exists is that brands have become increasingly quick to detect compromised accounts and deactivate them.”
Akamai’s data comes from “State of the Internet/Security: Credential Stuffing: Attacks and Economies,” available for free download (no registration required).