October 3, 2022

Volume XII, Number 276


October 03, 2022

Subscribe to Latest Legal News and Analysis

Privacy Awareness Week (Online Privacy): Credential Stuffing Attacks are on the Rise in Australia

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

The key findings of the Report include:

  • the largest credential stuffing attacks of 2018 occurred in the video media sector. The market for stolen media and entertainment accounts is thriving as the accounts are sold in bulk;
  • the attacks usually occurred after reported data breaches; and
  • checker programs (or “All-in-One” applications) such as SNIPR are common. These programs allow attackers to validate stolen credentials or to generate combination lists. The credentials can then be sold, traded or harvested for various types of personal information.

Recent credential stuffing attacks demonstrate how your entire digital life can be exposed following a data breach paired with a credential stuffing attack. A successful credential stuffing attack can significantly damage a brand’s reputation and increase its operational costs – even though the attack wasn’t the brand’s fault.

Businesses should consider implementing multi-factor authentication, which can be effective in preventing credential stuffing attacks. Consumers should also be educated about phishing emails and the dangers of using the same password for all logins!

Rebecca Gill contributed to this piece

Copyright 2022 K & L GatesNational Law Review, Volume IX, Number 134

About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Senior Attorney

Ms. Aggromito is a senior lawyer in the lawyer in the Melbourne commercial technology and sourcing team focusing on IT, privacy and data protection.