Credential Stuffing Attack

[Yogee]

This is yet another reminder not to use the same email and password in various online services that you are going to use. Recently, thousands of Canadian were affected the Government's online portal called GCKey was attacked with credential stuffing. The portal is used by the public to access different government services.

Used by approximately 30 federal departments, GCKey allows Canadians to access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity.

If you're unfamiliar with what credential stuffing is, it's a cyberattack using previously leaked information to access other websites. This attack is often successful because many people recycle their passwords and email addresses across multiple platforms from from banks, crypto exchanges, social media, discussion forum, and to other accounts.  

You never know when a platform you signed up for is going to be hacked or when your submitted credentials will be sold to scammers that's why it's important to create unique passwords and use different emails for each account. There are some topics here suggesting using 2FA for added account security, I recommend using that as well. Other platforms also sends you a warning when there's a suspicious activity in your account like logging in from a different device or IP address so be sure to always check them out.


Sources:
- https://www.canada.ca/en/treasury-board-secretariat/news/2020/08/statement-from-the-office-of-the-chief-information-officer-of-the-government-canada-on-recent-credential-stuffing-attacks.html
- https://www.bleepingcomputer.com/news/security/canada-suffers-cyberattack-used-to-steal-covid-19-relief-payments/
- https://en.wikipedia.org/wiki/Credential_stuffing

[1715150593]

1715150593

[1715150593]

1715150593

[Charles-Tim]

Imo, if an account can be opened even without kyc, it will even be the best. There are many legit wallets and exchanges that can be used for hodling and trading respectively, to go for such will be good. In this way, there will be more privacy. But at times, there can be no option, especially while dealing with non-crypto related accounts, and forum accounts, in this case, the first thing to come to mind is to use 2FA, having the 2FA app on another device is advisable, the password created should be a very complex one that can not be easy to guess or brute force, and also using a new/different email which with strong password is recommended.

After all these are considered, care must still be taking because unsecure broswing can still lead to careless leak of someone's personal information.

[dondonk]

It is very risky to use a username and password identity on various websites. It would be better if you use Google Authenticator as the 2nd safeguard. or use a cell phone number for 2fa.

[Charles-Tim]

It is very risky to use a username and password identity on various websites. It would be better if you use Google Authenticator as the 2nd safeguard. or use a cell phone number for 2fa.

There are many other authenticators that can be used, but if supported by the account someone wanted to create. You can check the quote below. I prefer such authenticators than to use google authenticator.

You should used an open source authenticator app such as andOTP, Aegis, or Tofu, and not some closed source spyware from Google. Also, SIM or SMS authentication is notoriously easily to hack via SIM jacking and should be avoided.

[Coyster]

This is how to create a secure password, it is important so even if hackers get your email address, it is impossible for them to guess the password to possibly hack the account. Another mistake users make is creating one strong password and using the same one on all their profiles, it's wrong, creating a unique strong password anytime you want to open a new profile and on all your existing ones is what should be done.

Many users have prolly submitted their email addresses to untrusted websites before ever learning it could be sold in the black market to scammers, what you should do is avoid visiting the email and consider every mail received in it as spam, if you share the address with a profile that's still active, you should change it to a different unique email and discard the previous one, cause other than hackers guessing your password, they can also send malwares to your mails and phishing links that if you click on your account/email could be compromised.

[Maus0728]

It is very risky to use a username and password identity on various websites. It would be better if you use Google Authenticator as the 2nd safeguard. or use a cell phone number for 2fa.

Using your mobile number for 2 Factor Authentication (SMS Based 2fa) is the worst method possible as another security layer for your email or any other account as it may be subjected to vulnerable attacks such as Sim Swapping. It would be much better to have a separate device that is used solely for registering and storing 2FA account rather than using only 1 device.

Just a heads up though, make a habit of writing the backup codes that is generated before activating your 2fa security layer to avoid hassle in case your device was lost in the process. Otherwise, it will be a pain in the ass if you have lost access to your accounts with 2fa activated. LOL

[GeorgeJohn]

This is yet another reminder not to use the same email and password in various online services that you are going to use. Recently, thousands of Canadian were affected the Government's online portal called GCKey was attacked with credential stuffing. The portal is used by the public to access different government services.

This message is very important to everyone who have email because know one is exempted to the problem if the problem comes.
Using the same email address in online platform is very dangerous because if someone happened to hack your email address,the person have the access to penetrate in your wallet and other things that required the emails.
Everyone try to protect his mail with alpha numerics so that  it will be difficult to access your mail.
Also everyone is advice to have at least five or four (5-4) email address for different applications if necessary.

[bitsurfer2014]

It is very risky to use a username and password identity on various websites. It would be better if you use Google Authenticator as the 2nd safeguard. or use a cell phone number for 2fa.

Good suggestion! Enabling 2FA, if available in any website that needs credentials is a must but this is not always the case.

Most often the victims of these kinds of attacks are very complacent and they tend to use same credentials even for different sites for easy recollection and often disregard the use of password managers that will enable them to handle their credentials in a more secure manner.

[DdmrDdmr]

The thing is, according to BleepingComputer:

some departments, such as CRA or IRCC, GCKey does not have multi-factor authentication enabled in the workflow.
<…>
In our tests, BleepingComputer also didn't find any security captchas in use. This could have made it possible for bots to conduct automated credential stuffing.

That means that, regardless of the measures an individual may have taken, the site (or some of the sites where a common GCKey is used to access Canadian government sites) did not have the safety countermeasures in place to begin with. I even wonder how misleading that may have been for the users, since from the above I derive that some people may have 2FA activated, but that only works in a subset of the GCKey accessible sites.

[dondonk]

It is very risky to use a username and password identity on various websites. It would be better if you use Google Authenticator as the 2nd safeguard. or use a cell phone number for 2fa.

There are many other authenticators that can be used, but if supported by the account someone wanted to create. You can check the quote below. I prefer such authenticators than to use google authenticator.

You should used an open source authenticator app such as andOTP, Aegis, or Tofu, and not some closed source spyware from Google. Also, SIM or SMS authentication is notoriously easily to hack via SIM jacking and should be avoided.

New knowledge for me, thanks for the reference. So far I have found for authentication using Google and a phone number. maybe later I will try other types of authentication such as the quote that you share, thank you.

[posi]

It is very risky to use a username and password identity on various websites. It would be better if you use Google Authenticator as the 2nd safeguard. or use a cell phone number for 2fa.

Sorry to burst your bubbles but using the different username, password with inclusion of Google authy and 2FA is not enough and setting all that up could still make an account holder vulnerable to attack if don't avoid human mistakes. Besides, some of the errors include using public computers and surf the unsecure website.
 

[Oasisman]

Well, another thing I could suggest is to use a separate and unique password combination with your email address and don't use this password again with any of your accounts. And don't attempt to login your email to different devices.
I have been using a local custodial wallet and everytime I do transactions, they're sending an OTP to your email before you can proceed. So, from there I saw the importance of securing your email address as your priority, because wallets have 2FA's and can enable OTP sent directly to email. Therefore, It would be useless for the hackers to access your wallet without your email, and thus gives you enough time to detect such unauthorized activities and change your credentials.

[yazher]

You never know when a platform you signed up for is going to be hacked or when your submitted credentials will be sold to scammers that's why it's important to create unique passwords and use different emails for each account. There are some topics here suggesting using 2FA for added account security, I recommend using that as well. Other platforms also sends you a warning when there's a suspicious activity in your account like logging in from a different device or IP address so be sure to always check them out.

These kinds of mistakes often become the flaws of our account for getting hacked. I mean, using multiple passwords are safe but seriously guys those hackers always find some holes to gather those datas except when you have some 2FA like the OP said. Which will make them lose their hair to get your account from you. Anyway, guys have you ever heard someone who got their account hacked? even though they've been using google authenticator or phone number verification?

[erikoy]

The thing is, according to BleepingComputer:

some departments, such as CRA or IRCC, GCKey does not have multi-factor authentication enabled in the workflow.
<…>
In our tests, BleepingComputer also didn't find any security captchas in use. This could have made it possible for bots to conduct automated credential stuffing.

That means that, regardless of the measures an individual may have taken, the site (or some of the sites where a common GCKey is used to access Canadian government sites) did not have the safety countermeasures in place to begin with. I even wonder how misleading that may have been for the users, since from the above I derive that some people may have 2FA activated, but that only works in a subset of the GCKey accessible sites.

Oh, I have only few knowledge and understanding about security of accounts and the password without knowing that even accounts with good password still not a guarantee to secure identity/account in that site. As what had the posts mention above that bots will be able to conduct automated credential stuffing. So, there is nothing we can do here except to be wary always not get into sites that are not secured. The only question is that how could it be possible to distinguish sites that have no security system like security captchas use?

[Lordhermes]

Another mistake users make is creating one strong password and using the same one on all their profiles, it's wrong, creating a unique strong password anytime you want to open a new profile and on all your existing ones is what should be done.

This is a much complicated one because a user's brain is not systemize digitally to the extent of reminding via permutation and combination to such user of password of different platforms. Lets say a user creates accounts on 15 forum platforms with 15 different passwords, is it really possible for such users to recall all at same time on some respective and specific platform for fast recognition. Your idea is a good one too but could be more of complications.

those hackers always find some holes to gather those datas.....

Actually, its really a big problem to completely safe your data and credentials from hackers, those looters worked on a daily basis and it took them a lot if time in attacking what they plan to hack, the primary solution is setting up 2FA, phone verification, finger print, face recognition, and other safe guards security and privacy policy to reduce he chance of been hacked.

[AakZaki]

~snip~
Just a heads up though, make a habit of writing the backup codes that is generated before activating your 2fa security layer to avoid hassle in case your device was lost in the process. Otherwise, it will be a pain in the ass if you have lost access to your accounts with 2fa activated. LOL

Rewriting code back-up should also be considered. Don't do screenshots carelessly and save them on the device you use the most. it is better to write down the 2FA backup code on a piece of paper in your diary which will be safer. If you are worried that your device is damaged, you can use the 2FA application which supports dual devices but with better security.
most importantly don't be careless with the security of your own account. No system is safe.

[tranthidung]

It is very risky to use a username and password identity on various websites.

For passwords:

• Don't reuse past passwords
• Don't use same password on multiple platforms
• Don't use too weak passwords

Also see: [GUIDE] How to Create a Strong/Secure Password

It would be better if you use Google Authenticator as the 2nd safeguard. or use a cell phone number for 2fa.

For 2FA:

• Use App, not use SMS code or anything relates to your SIM because of problems you can not control: can not receive code because of service provider, and / or SIM swap attacks.
• Backup secret code of 2FA and test its validity for later recovery (when your phone is lost, broken, anything else).
• Use YubiKey if you can[/url]
  

[BEWARE] Sim Port Attack
Aegis Authenticator, a decent alternative to Google Authenticator and Authy

[CryptocurencyKing]

It's important to create unique passwords and use different emails for each account. There are some topics here suggesting using 2FA for added account security, I recommend using that as well. Other platforms also sends you a warning when there's a suspicious activity in your account like logging in from a different device or IP address so be sure to always check them out.

Adhering to this advice of using multiple emails is going to be really difficult due to the fact that, emails are a unique information portal and vital to almost everyone. The idea of multiple emails isn't a very recommended one by the service providers and could be quite confusing to the owner as per the platforms to which it's varying emails are used.
Surely these security messages do pop up and I second the recommendation that it should be followed up strictly.

[khaled0111]

^ You are right, using different email addresses is a bit annoying and especially remembering which address you used for which platform. However, using a unique password for each platform you sign in is a must regardless of how unpleasnt it might be as it will save you from this kind of attacks. If your credentials get leaked, the attacker will not be able to access your other accounts.

[vapourminer]

It is very risky to use a username and password identity on various websites. It would be better if you use Google Authenticator as the 2nd safeguard. or use a cell phone number for 2fa.

sms (2fa via cell phone text message) is risky as sim swapping is a thing.

google auth is ok(ish) but yubikeys (or its equivalent) are much better. but not all sites support it.

there are also open source alternatives to google auth if needed.