User credentials are highly coveted commodities on the dark web. Hackers discover credentials by sending out bots to wage brute-force attacks; the bots attempt to gain access to a web application by trying every possible combination of letters, numbers, and symbols, to see which combinations work.
Or, they steal credential sets (personal identification data, account logins and passwords, contact data, etc.) in massive data breaches. Valid credentials can then be used in a variety of cyberattacks, and can also be sold in illicit marketplaces for others to use.
Once credential sets have been stolen, attackers can take over the affected accounts within the targeted web application.
Another common attack is to use bots to “stuff” the credentials into the login pages of many other web applications (especially high-value targets like bank websites, payment providers, and so on). Unfortunately, many people still use the same credentials across a variety of websites. Therefore, credential stuffing allows an attacker to leverage a single data breach into the successful takeover of multiple accounts across different websites.
Hijacked accounts cause numerous problems for the victim and its customers. When the data breaches are discovered, the victimized organization is the target of bad publicity, loss of reputation and trust, and might receive fines and penalties from industry and privacy regulators.