Hacking Happens: Stolen Credentials

DZone 's Guide to

Hacking Happens: Stolen Credentials

The bottom line for website owners is that their sites are at risk every day and an aggressive security posture is required to keep your assets safe.

· Performance Zone ·
Free Resource

Even the best websites get hacked. As the technology for securing websites and applications gets better and better, hackers get more creative and aggressive in finding ways to steal what isn’t theirs. The bottom line for website owners is that their sites are at risk every day and an aggressive security posture is required to keep your assets safe.

Hackers mostly use one of two main ways to get access to your site—exploiting code vulnerabilities and stealing credentials of valid users. Taking advantage of code vulnerabilities takes specialized skills. So, while this still happens, it is not as popular as credential stealing.

Hackers would much rather use an easier and more reliable way to unlock a door into your site—taking over your users’ accounts. It is the most popular way to gain unauthorized access these days. According to the Verizon Data Breach Investigations Report (VDBIR) using stolen credentials has been the number one attack vector for web applications for the past two years.

Stealing credentials does not require as much technical skill as exploiting code vulnerabilities. And does not even necessarily require that the hacker is very sophisticated, depending on how well a website and its associated applications are secured. Believe it or not, these days, hackers can even rent the tools they need to break into a site.

Let’s look at what these criminals have up their sleeves, so you know what to protect against to reduce the likelihood of a breach.

Hackers’ favorite credential stealing tricks:

  • Reusing passwords from credentials leaked on another site
  • Brute force (aka, taking advantage of weak passwords)
  • Phishing and social engineering

Reusing Credentials

Reusing user names and passwords (known in the security business as credential stuffing) takes advantage of the fact that up to 50% of users use the same user names and passwords across sites. All a hacker has to do after getting hold of stolen user names and passwords (which is very easy on the dark web) is stuff them into your website using dedicated bot software or botnets to see if any of them work.

Credential stuffing works: Verizon notes that 63% of the confirmed breaches in 2015 involved “weak, default, or stolen passwords.”

Brute Force

Even when users do not reuse the same passwords, many still create simple passwords so they are easy to remember. Unfortunately, easy to remember for users is also easy to guess for hackers. With a little work, hackers can sometimes get a list of valid user names from a site that is improperly protected. Then they take these confirmed and valid user names and plug them into a bot, which then attempts to log in using known weak passwords.

Brute force worksThe password 123456 statistically works as a valid password for about 5% of accounts on a site.


Hackers like to take advantage of human behavior—people trust known businesses and individuals. So hackers try to trick people into sharing information by pretending to be someone a user trusts. These hackers (89% of which are organized crime syndicates, according to Verizon) send emails that look like they are from a legitimate and trusted business. They then request information or take a user to a fake site, skillfully designed to look like the business’s real website—where the user enters name and password and, by doing so, unknowingly threatens the security of your entire site.

Phishing works: Verizon reports that 30% of phishing messages were opened by users across all campaigns and about 12% clicked on an attachment to “enable the attack to succeed.”

As you can see, hackers are dedicated to finding a way to get around your defenses. They exploit whatever weaknesses they can find in your users’ behavior and your website. To learn more about these vulnerabilities and some of the basic steps you can take to prevent hacking via stolen credentials, download the e-book: Account Takeover: How Hacking Happens in 2016

applications, hackers, security, tricks, valid, vulnerabilities, web, web applications

Published at DZone with permission of Mike Milner , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}