Home Page Featured 2

There are two specifically related but not interchangeable threats to your identity, and the terms can often get confused. Credential cracking and credential stuffing both involve someone getting their hands on your personal data, especially your usernames and passwords, but how those two things take place are somewhat different.

Credential Cracking

Credential cracking happens when a hacker targets you or your company specifically. They spend a significant amount of time and tech resources on breaking into your accounts by undermining your password defenses. While victims of credential cracking can absolutely be random citizens caught up in a hacker’s trap, the effort behind it often means that the victim was targeted specifically. It might be a business account or a company’s social media accounts, financial accounts, or even the personal finances for someone within a company.

Credential Stuffing

Credential stuffing, on the other hand, usually occurs when a hacker casts a wider net. They either steal a database filled with information, buy it on the Dark Web, or even stumble upon it in an unsecured web-based storage server. Then, they use software that lets them attempt thousands of “matches” at a time, cross-referencing the stolen usernames and passwords that work on one website with many other websites. When they land on a match—meaning the victim’s username and password from PayPal, for example, are the same one they use on Amazon—they can use that information to steal money and even more identifying information.

Read next: TurboTax Security Breach Cause by Credential Stuffing

Who’s Targeted

Another major difference between these two forms of attack is in how the tech-using public can take action. Credential cracking is potentially in your own hands, unless a cybercriminal targets your place of employment; a lot of your preventive strategy will involve practicing good password hygiene. Credential stuffing, on the other hand, is a result of finding a treasure trove of information that someone else did not properly secure. You often have no way of knowing whether or not your information was included in such a database until you receive a notification letter from the company who allowed it to become compromised.

How to Protect Yourself

As always, one of the best defenses against either of these attacks is to use strong, unique, unguessable passwords that you change routinely. Changing your password can actually prevent credential stuffing since your old (and stolen) information would no longer be valid; by keeping your passwords unique—meaning they are valid on one account only—you can also work to avoid credential stuffing since they will not work on any other account.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

In fact, of the 1,255 total data breaches recorded by the Identity Theft Resource Center in 2018, 150 of were because of the mismanagement of information by employees tasked with protecting it. That means 12% of the data breaches were the direct result of mistakes in handling sensitive information, leading to 1,131,288 records exposed and potentially costly consequences for the companies involved.

April is Records and Information Management Month, and while it might not conjure up holiday-themed festive images the same way Christmas does, it is a great reminder that your information and your identity are only as safe as the people who have their hands on it.

What does it mean to mishandle information? There are numerous ways that information can accidentally fall into the wrong hands. It may be losing a flash drive or laptop with customer records on it, the theft of company hardware like laptops or even servers, reusing a weak password that lets hackers easily break into a system or failing to password protect a database of records in the first place. In other cases, the exposure resulted from improper disposal of sensitive information, such as throwing paper records in an unsecured garbage dumpster instead of shredding. In many cases, employees may fall for phishing attempts or respond to requests that appear to come from someone within the company but are actually sent by malicious imposters.

In order to protect all of the sensitive information that businesses gather and store, it is important to understand how to secure it and what can happen if it is compromised. It often starts with a solid company-wide computer use policy that outlines exactly how things like password security, email responses and data access are supposed to be enforced. Helping every employee understand the ramifications of mishandling information is important, too. Finally, a good “delete” housekeeping from time to time to permanently destroy any outdated stored records can thwart a lot of security problems before they arise.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC

Read next: TurboTax Breach Cause By Credential Stuffing

SAN DIEGO – Jan 28, 2019 – The Identity Theft Resource Center®, a nationally recognized non-profit organization established to support victims of identity crime, and CyberScout®, a full-spectrum identity, privacy and data security services firm, released the 2018 End-of-Year Data Breach Report.

According to the report, the number of U.S. data breaches tracked in 2018 decreased from last year’s all-time high of 1,632 breaches by 23 percent (or 1,244 breaches), but the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent from the 197,612,748 records exposed in 2017 to 446,515,334 records this past year.

“The increased exposure of sensitive consumer data is serious,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Never has there been more information out there putting consumers in harm’s way. ITRC continues to help victims and consumers by providing guidance on the best ways to navigate the dangers of identity theft to which these exposures give rise.”

Another critical finding was the number of non-sensitive records compromised, not included in the above totals, an additional 1.68 billion exposed records. While email-related credentials are not considered sensitive personally identifiable information, a majority of consumers use the same username/email and password combinations across multiple platforms creating serious vulnerability.

“When it comes to cyber hygiene, email continues to be the Achilles Heel for the average consumer,” said CyberScout founder and chair, Adam Levin. “There are many strategies consumers can use to minimize their exposure, but the takeaway from this year’s report is clear: Breaches are the third certainty in life, and constant vigilance is the only solution.”
To download the 2018 End-of-Year Data Breach Report, visit: idtheftcenter.org/2018-end-of-year-data-breach-report/

###

About the Identity Theft Resource Center:

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help. For more information, visit: http://www.idtheftcenter.org

About CyberScout:
Since 2003, CyberScout® has set the standard for full-spectrum identity, privacy and data security services, offering proactive protection, employee benefits, education, resolution, identity management and consulting as well as breach preparedness and response programs.

CyberScout products and services are offered globally by 660 client partners to more than 17.5 million households worldwide, and CyberScout is the designated identity theft services provider for more than 750,000 businesses through cyber insurance policies. CyberScout combines extensive experience with high-touch service to help individuals, government, nonprofit and commercial clients minimize risk and maximize recovery.

###

Identity Theft Resource Center
Charity Lacey
VP of Communications
O: 858-634-6390
C: 619-368-4373
clacey@idtheftcenter.org

CyberScout
Lelani Clark
VP of Communications
O: 646-649-5766
C: 347-204-9297
lelani@adamlevin.com