Recent news brought this topic close to home: Troy Hunt, a renowned security expert and the creator of Have I Been Pwned (HIBP), recently shared that he fell victim to a sneaky phishing attack targeting his Mailchimp account.
Troy received an email that looked like it was from Mailchimp, claiming there was a spam complaint and that he needed to log in to resolve it. Being tired and a bit jet-lagged, he clicked the link and entered his credentials — only to realize moments later it was a fake site. The attackers immediately used this access to export his blog’s mailing list, containing around 16,000 records.
Learn more →Online accounts are protected by the three factors of authentication: something you know (like a password), something you have (like a phone), and something you are (like a fingerprint). These factors are designed to keep our accounts secure — but fraudsters constantly find new ways to compromise all three.
Something You Know: The Data Breach Bonanza
Fraudsters scoop up usernames and passwords from compromised companies — and they’ve been doing it since digital passwords were invented. They develop phishing scams to fool users into handing over credentials. And malware is everywhere: it’s estimated that more than 1 billion malware programs currently exist, automatically mining and sending information without the user knowing.
Learn more →Many organizations rely on myNetWatchman to protect against credential stuffing and account takeover attacks — but account security is especially critical for financial institutions (FIs). This article explores a real credential stuffing attack against a large FI, observed in real-time between June and August 2024.
It’s a High-Volume Numbers Game
Credential stuffing systematically tests exposed credential pairs to see where the same combination works elsewhere. The attack in this case study saw over 8 million unique usernames attempted in a 6-week period — not to succeed on all of them, but to identify the ones that do.
Learn more →