Some home security camera owners have reported bizarre incidents, from a voice on their camera falsely warning of a missile attack to hackers talking to their child through their camera speaker. However, camera manufacturers insist their systems have not been compromised. So how are hackers getting in?
A growing list of breached usernames and passwords — over 7 billion — are freely available on the dark web. Hackers use these compromised credentials to try to log in to other digital services, such as home security cameras – and because 59% of people use the same password for most logins, attackers have found it to be fairly effective.
What is credential stuffing?
The tactic is known as credential stuffing, and automation tools are making it more efficient for hackers to quickly find vulnerable accounts.
Akamai, a content delivery and cloud service, detected 28 billion malicious login attempts from bots in the second half of 2018 – more than triple the number detected in the previous six months.
While financial services are a prime target, customers of Nest, Dunkin' Donuts, and OkCupid have fallen victim to credential stuffing.
How can I avoid becoming a victim of a credential stuffing attack?
- Check if your information has been compromised. Visit haveibeenpwned.com to help determine if your account or password were part of a breach. If you haven’t already, change the password of any account that uses a password that’s been compromised.
- Use a unique, strong password everywhere. A password manager can help generate these passwords for you. It stores them all in one encrypted location, and can automatically insert passwords when you log into sites.
- Use Multi-Factor Authentication (MFA) when available. This allows access only after two or more pieces of evidence are presented – usually a password and a code that is sent to the user by phone, text or email during login.
In addition to hacking into users’ accounts, bad actors are increasingly using stolen credentials in extortion attempts.
It’s not uncommon to receive an email claiming to be from someone who used your credentials to hack into your computer. The email often includes your password as proof that they’ve broken into your account, and demands a ransom paid in Bitcoin.
How can I protect myself from extortion attempts?
The Federal Bureau of Investigation’s (FBI) Internet Crime Compliant Center (IC3) reported electronic extortion scams rose 242% to 51,146 reported crimes in 2018, with losses of $83 million. The IC3 provides some tips on how to protect yourself:
- Do not open e-mail or attachments from unknown individuals.
- Monitor your bank account statements regularly, as well as your credit report at least once a year for any fraudulent activity.
- Do not communicate with unsolicited email senders.
- Do not store sensitive or embarrassing photos of yourself online or on your mobile devices.
- Use strong passwords and do not use the same password for multiple websites.
- Never provide personal information of any sort via e-mail. Be aware that many e-mails requesting your personal information appear to be legitimate.
- Ensure security settings for social media accounts are turned on and set at the highest level of protection.
- When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes https, or the status bar displays a “lock” icon.
New breaches are making headlines on a regular basis, and as long as people keep using the same passwords everywhere, attackers are likely to keep targeting this type of information.
No wants to be a victim of a cyber attack or cyber extortion, but you can protect yourself with State Farm’s® Identity Restoration Insurance.