It has been a week of data breach news, with General Motors, Chicago Public Schools, and wedding-planner startup Zola all reeling from the exposure of customers’ personal information. In the latter’s case, customers were also riffed for stored funds and suffered fraudulent payment-card charges.
Credential stuffing was to blame in two of the incidents. In credential stuffing, attackers use automated scripts to try high volumes of stolen username and password combinations against online accounts in an effort to take them over. The stolen credentials are usually taken from data breaches of other sites — cybercriminals bank on password reuse and the use of common or easy-to-guess passwords, like “123456.”
Once in, cybercriminals can use the compromised accounts for various purposes: as a pivot point to penetrate deeper into a victim’s machine and network; to drain accounts of sensitive information (or monetary value); and, if it’s an email account, to impersonate the victim in attacks on others.
And such attacks are costly: The Ponemon Institute’s Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs.
They’re also wildly common. According to recent PerimeterX data, malicious login attempts out of total logins trended upward during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak.
Verizon’s 2022 Data Breach Investigations Report (DBIR), released this week, noted that the use of stolen credentials for kicking off data breaches is the top attack vector, accounting for around 42% of all of the breaches analyzed by the carrier.
General Motors Drives into Trouble
GM has alerted customers that a successful credential-stuffing attack last month on its customers resulted in a raft of account compromises. The incident exposed personal information for customers and allowed hackers to fraudulently redeem rewards points for gift cards.
The customer data involved lends itself to a veritable cornucopia of follow-on attacks, including convincing social-engineering efforts, spoofing attacks, and, alarmingly, potential physical threats at the extreme end of the spectrum. The info included first and last name, personal email address, personal address, username and phone number for registered family members tied to an account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, and reward-card activity.
“Some may suggest that breaches that don’t involve payment-card numbers or SSNs are not as serious, but other information (family member names, phone numbers, and addresses) is just as damaging as it will be used in future social engineering attacks and will forever place these people in danger,” noted John Gunn, CEO at Token, via email. “How easy is it to change family member names, phone numbers, and addresses? This type of attack is eminently preventable simply with better multi-factor authentication.”
GM is reinstating any lost loyalty points and forced a password reset for customers.
Chicago Public Schools Face Student Exposure
Also this week, news emerged of a wide-ranging data breach that involved the personal information of nearly 500,000 students in Chicago Public Schools (CPS), and more than 56,000 employees.
The information was stolen as part of a ransomware attack on one of the district’s third-party technology suppliers, Battelle for Kids, which maintains a server used to store the CPS student and staff information. The data was for the 2015-2019 school years.
CPS issued a data-breach notification flagging the exposed information, which included name, date of birth, gender, grade level, school, and district and state student ID numbers, as well as information about the courses students took.
The exposed staff records included name, school employee ID number, CPS email address, and scores on tasks used to evaluate teachers during the time period, the district said.
Perhaps most notably, the breach occurred months ago, on Dec. 1, but Battelle for Kids didn’t notify CPS until April 26. It took that long for the vendor to verify the authenticity of the breach and commission an independent forensic analysis, and for law enforcement authorities to investigate, CPS noted.
The data was old and there’s no evidence that the ransomware gang has made a move to exploit the data, but students and staff should still be on the lookout for phishing efforts, the district warned. It’s offering everyone involved a year of free credit monitoring in response to the incident.
“Ransomware attacks have become a growing threat to education centers across the United States,” says Erfan Shadabi, cybersecurity expert with data security specialists Comforte AG. “Schools are becoming more dependent on a computing infrastructure to support their daily functions, and they also hold a vast amount of sensitive information. School districts and universities need to understand that they are high-profile targets, and they need to assume that a cyberattack is imminent.”
Zola Customer Accounts Hijacked
Wedding-planning site Zola has discovered that 3,000 customer accounts were compromised in an apparent brute-force or credential-stuffing attack on its customers.
The site allows couples to create wedding destination websites, build gift registries, and access a variety of financial tools. Over the weekend, customers began reporting on Reddit that their accounts had been hijacked, with the cyberattackers making off with stolen funds or racking up fraudulent credit-card charges. Zola didn’t reveal how high the losses have mounted.
TechCrunch, which first reported the breach, said that it saw posts on a Dark Web Telegram channel from hackers, who swapped tips, posted screenshots of pwned accounts, and discussed ordering gift cards using the credit card on file with Zola.
“Credential stuffing attacks continue to fuel the web-attack lifecycle, potentially using these stolen user credentials on other e-commerce sites,” said Uriel Maimon, vice president of emerging products at PerimeterX, via email. “We can expect that these credentials will soon be tested on other apps that we use daily to power our lives. The responsibility lies on app providers and website owners to make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks. This means stopping the theft, validation, and fraudulent use of account and identity information everywhere along a consumer’s digital journey.”
He added that that one way to do that is by tracking behavioral and forensics signals of users logging in, in order to differentiate between real users and attackers.