Latest news with #credentialstuffing
Yahoo
31-07-2025
- Business
- Yahoo
Radware Report Reveals Shifting Attack Vectors in Credential Stuffing Campaigns
94% contain four or more business logic attack elements; 83% use API-targeting techniques MAHWAH, N.J., July 31, 2025 (GLOBE NEWSWIRE) -- Radware® (NASDAQ: RDWR), a global leader in application security and delivery solutions for multi-cloud environments, today released a new research report—The Invisible Breach: Business Logic Manipulation and API Exploitation in Credential Stuffing Attacks. The report reveals a paradigm shift in credential stuffing attacks. It underscores a fundamental transformation from volume-based attacks leveraging a series of repeated password attempts to sophisticated, multi-stage infiltration techniques. 'To bypass traditional defenses, modern credential stuffing attacks are shifting away from traditional password-spraying techniques in favor of business logic manipulation, cross-platform device spoofing, and strategic API exploitation,' said Arik Atar, senior cyber threat intelligence researcher at Radware. 'The message for defending organizations is clear. To match this new reality, they must move beyond credential-centric controls to adopt security strategies that validate entire user journeys, correlate cross-request behavior, and detect suspicious patterns in business logic flows.' Radware's research examined 100 advanced credential stuffing configurations deployed through a well-known account takeover tool called SilverBullet. Advanced attack methodologies Business logic attacks: 94% of configurations implement four or more business logic attack elements, with 54% demonstrating advanced orchestration, using 13+ distinct techniques. API exploitation: 83% of configurations contain explicit API-targeting techniques. Multi-device spoofing: 24% of attack scripts alternate between two device types during execution, with 71% employing cross-platform transitions, primarily between iOS and Windows. Primary targets Industries: Technology/SaaS emerged as the primary target sector (27%), followed by financial services/government (16%), and the travel/airline (13%) sectors. Online tools: There is a significant shift toward high-value AI tools (44% of all technology targets), potentially exploited by spammers who engage in account cracking to create large-scale phishing content. In addition, corporate tools (30%), including Microsoft 365, OneDrive, and Outlook, are likely targets for ransomware groups pursuing initial access to organizational systems. Centralized threat landscape Concentration: 51% of the analyzed configurations, randomly collected over six months, were written by just three advanced threat actors: SVBCONFIGSMAKER, and @Magic_Ckg. Specialization: Each threat actor had over two years of operational experience in distinct areas of specialization, including AI platform authentication bypass, mobile API exploitation, and Microsoft cloud services. Radware's complete report—The Invisible Breach: Business Logic Manipulation and API Exploitation in Credential Stuffing Attacks—can be downloaded here. The research methodology was based on an analysis of 100 SilverBullet credential stuffing attack scripts to identify emerging trends, techniques, and tactics in modern account takeover (ATO) campaigns. The scripts were collected from Telegram channels of threat actors and published between December 2024 and May 2025. About RadwareRadware® (NASDAQ: RDWR) is a global leader in application security and delivery solutions for multi-cloud environments. The company's cloud application, infrastructure, and API security solutions use AI-driven algorithms for precise, hands-free, real-time protection from the most sophisticated web, application, and DDoS attacks, API abuse, and bad bots. Enterprises and carriers worldwide rely on Radware's solutions to address evolving cybersecurity challenges and protect their brands and business operations while reducing costs. For more information, please visit the Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, X, and YouTube. ©2025 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents, and pending patent applications of Radware in the U.S. and other countries. For more details, please see: All other trademarks and names are property of their respective owners. THIS PRESS RELEASE AND RADWARE'S THE INVISIBLE BREACH: BUSINESS LOGIC MANIPULATION AND API EXPLOITATION IN CREDENTIAL STUFFING ATTACKS REPORT ARE PROVIDED FOR INFORMATIONAL PURPOSES ONLY. THESE MATERIALS ARE NOT INTENDED TO BE AN INDICATOR OF RADWARE'S BUSINESS PERFORMANCE OR OPERATING RESULTS FOR ANY PRIOR, CURRENT, OR FUTURE PERIOD. Radware believes the information in this document is accurate in all material respects as of its publication date. However, the information is provided without any express, statutory, or implied warranties and is subject to change without notice. The contents of any website or hyperlinks mentioned in this press release are for informational purposes and the contents thereof are not part of this press release. Safe Harbor Statement This press release includes 'forward-looking statements' within the meaning of the Private Securities Litigation Reform Act of 1995. Any statements made herein that are not statements of historical fact, including statements about Radware's plans, outlook, beliefs, or opinions, are forward-looking statements. Generally, forward-looking statements may be identified by words such as 'believes,' 'expects,' 'anticipates,' 'intends,' 'estimates,' 'plans,' and similar expressions or future or conditional verbs such as 'will,' 'should,' 'would,' 'may,' and 'could.' For example, when we say in this press release that to match this new reality, organizations must move beyond credential-centric controls to adopt security strategies that validate entire user journeys, correlate cross-request behavior, and detect suspicious patterns in business logic flows, we are using forward-looking statements. Because such statements deal with future events, they are subject to various risks and uncertainties, and actual results, expressed or implied by such forward-looking statements, could differ materially from Radware's current forecasts and estimates. Factors that could cause or contribute to such differences include, but are not limited to: the impact of global economic conditions, including as a result of the state of war declared in Israel in October 2023 and instability in the Middle East, the war in Ukraine, tensions between China and Taiwan, financial and credit market fluctuations (including elevated interest rates), impacts from tariffs or other trade restrictions, inflation, and the potential for regional or global recessions; our dependence on independent distributors to sell our products; our ability to manage our anticipated growth effectively; our business may be affected by sanctions, export controls, and similar measures, targeting Russia and other countries and territories, as well as other responses to Russia's military conflict in Ukraine, including indefinite suspension of operations in Russia and dealings with Russian entities by many multi-national businesses across a variety of industries; the ability of vendors to provide our hardware platforms and components for the manufacture of our products; our ability to attract, train, and retain highly qualified personnel; intense competition in the market for cybersecurity and application delivery solutions and in our industry in general, and changes in the competitive landscape; our ability to develop new solutions and enhance existing solutions; the impact to our reputation and business in the event of real or perceived shortcomings, defects, or vulnerabilities in our solutions, if our end-users experience security breaches, or if our information technology systems and data, or those of our service providers and other contractors, are compromised by cyber-attackers or other malicious actors or by a critical system failure; our use of AI technologies that present regulatory, litigation, and reputational risks; risks related to the fact that our products must interoperate with operating systems, software applications and hardware that are developed by others; outages, interruptions, or delays in hosting services; the risks associated with our global operations, such as difficulties and costs of staffing and managing foreign operations, compliance costs arising from host country laws or regulations, partial or total expropriation, export duties and quotas, local tax exposure, economic or political instability, including as a result of insurrection, war, natural disasters, and major environmental, climate, or public health concerns; our net losses in the past and the possibility that we may incur losses in the future; a slowdown in the growth of the cybersecurity and application delivery solutions market or in the development of the market for our cloud-based solutions; long sales cycles for our solutions; risks and uncertainties relating to acquisitions or other investments; risks associated with doing business in countries with a history of corruption or with foreign governments; changes in foreign currency exchange rates; risks associated with undetected defects or errors in our products; our ability to protect our proprietary technology; intellectual property infringement claims made by third parties; laws, regulations, and industry standards affecting our business; compliance with open source and third-party licenses; complications with the design or implementation of our new enterprise resource planning ('ERP') system; our reliance on information technology systems; our ESG disclosures and initiatives; and other factors and risks over which we may have little or no control. This list is intended to identify only certain of the principal factors that could cause actual results to differ. For a more detailed description of the risks and uncertainties affecting Radware, refer to Radware's Annual Report on Form 20-F, filed with the Securities and Exchange Commission (SEC), and the other risk factors discussed from time to time by Radware in reports filed with, or furnished to, the SEC. Forward-looking statements speak only as of the date on which they are made and, except as required by applicable law, Radware undertakes no commitment to revise or update any forward-looking statement in order to reflect events or circumstances after the date any such statement is made. Radware's public filings are available from the SEC's website at or may be obtained on Radware's website at in to access your portfolio
Tahawul Tech
15-07-2025
- Business
- Tahawul Tech
Companies must protect themselves against bots bypassing defenses
David Warburton, Director, F5 Labs, outlines the growing sophistication of bot adversaries and the steps companies can take to combat them in this exclusive op-ed. In today's digital landscape, where applications and APIs are the lifeblood of businesses, a silent threat lurks: sophisticated bot adversaries. While traditional security measures focus on preventing malicious attacks, automated threats are slipping through undetected by mimicking human behaviour and exploiting gaps in application logic in unexpected ways. F5 Labs' recently released 2025 Advanced Persistent Bots Report sheds light on the evolving tactics of advanced persistent bots and the challenges they pose. Here are three trends that stood out for me from this year's research, and what companies can do to protect themselves. 1. Credential stuffing: When stolen passwords expose valuable data Imagine a scenario where cybercriminals use readily available stolen credentials to access sensitive user accounts. This is the reality of credential stuffing, a prevalent bot-driven attack that exploits the widespread practice of password reuse. According to F5 Labs, some organisations experience upwards of 80% of login traffic coming from credential stuffing attacks launched by bots. The report highlights that, even with a low success rate of 1% to 3% per attack campaign, the sheer volume of automated logins translates into a substantial number of compromised accounts. Incidents such as the PayPal breach in 2022, where almost 35,000 user accounts were accessed to expose highly monetisable personal information, provide massive databases of usernames and passwords for malicious use across other online services. Even a small success rate can yield significant results, because many people reuse passwords. These details can then be used for fraudulent transactions or data theft, or sold on the dark web for targeted attacks. In recent years, several well-known brands have reported credential stuffing attacks. The decline of genetic testing firm 23andMe was, in part, attributed to a credential stuffing campaign that exposed customer health and ancestry information. Data was found for sale on the dark web at a price of $1,000 for 100 profiles, up to $100,000 for 100,000 profiles. The company cited customers' lack of adoption of the site's multi-factor authentication (MFA) option as the primary failure but, in fact, the insidious nature of credential stuffing lies in its ability to bypass traditional security measures. Since the bots are using legitimate credentials and are not trying to exploit any vulnerabilities, they don't trigger typical alarms. MFA can help but, due to the rise in real-time phishing proxies (RTPP), it's not foolproof. Organisations must implement smart bot detection solutions that analyse login patterns, device fingerprints, and behavioural anomalies to see what's really going on. 2. Hospitality under siege: Gift card bots and the rise of 'carding' While finance and retail sectors are often considered prime targets for cyberattacks, F5 Labs research showed that hospitality is heavily targeted by malicious bot activity. In particular, 'carding' and gift card bots are found to target hospitality websites and APIs, with some organisations experiencing a 300% surge in malicious bot activity compared to last year. The report also notes that the average value of gift cards targeted by bots is increasing. Carding uses bots to validate stolen credit card numbers by rapidly testing them on checkout pages and APIs. Gift card bots exploit loyalty programs and gift card systems. Attackers use them to check balances, transfer points, or redeem rewards illegally. These bots often target vulnerabilities like simple patterns and sequential gift card IDs. The hospitality industry's vulnerability stems from the fact that loyalty points and gift cards are essentially digital currency. Cybercriminals can easily convert these assets into cash or use them to purchase goods and services. To protect themselves, hospitality businesses must implement robust bot detection and mitigation strategies specifically tailored to address these kinds of threats. This includes monitoring gift card activity, analysing transaction patterns and implementing solutions that can differentiate between humans and bots. CATPCHAs, once the go-to solution for blocking bots, have been easily bypassed by bot operators for years. 3. Bypassing the gatekeepers: Residential proxies and the futility of CAPTCHAs Traditional bot defences like CAPTCHAs and IP blocking are failing against increasingly sophisticated evasion tactics. Bot operators can easily outsource CAPTCHA solving to human click farms, where individuals are paid small amounts to solve challenges on demand. Furthermore, the rise of residential proxy networks is a significant factor. These networks route bot traffic through residential IPs via compromised devices, masking the true IP addresses of the bots. The F5 Labs report suggests that residential proxies are now widely used by bot operators, and the majority of bot traffic now appears to originate from these networks. Identity management vendor, Okta, flagged the role of broad availability of residential proxy services in a surge of credential stuffing attacks on its users last year. The company said that millions of fake requests had routed through residential proxies to make them appear to originate from mobile devices and browsers of everyday users, rather than from the IP space of virtual private server (VPS) providers. To effectively combat these advanced evasion techniques, organisations need to move beyond traditional defences and embrace smart bot solutions. These solutions leverage machine learning and behavioural analysis to identify bots based on their unique characteristics. By focusing on human-like behaviour, rather than relying on IP addresses or CAPTCHAs, organisations can more accurately detect and block sophisticated bot attacks. Navigating the risk landscape: Finding your bot defence sweet spot Ultimately, the level of bot defence an organisation implements depends on its risk appetite. Every business must weigh the potential costs and benefits of different mitigation strategies and determine the level of risk it is willing to accept. Completely eliminating all bot traffic may not be feasible—or even desirable, as some automated activity is legitimate and beneficial. However, failing to address malicious bot activity can lead to significant financial losses, reputational damage, and customer frustration. The key is to find the right balance. By understanding the different types of bots targeting your organisation, assessing the potential impact of their activities, and implementing appropriate detection and mitigation measures, you can effectively manage your bot risk and protect your business—and your customers—from advanced persistent bot threats. Image Credit: F5
Forbes
09-07-2025
- Forbes
World's 200 Most Dangerous Passwords Revealed — Change Yours If Listed
Is your password on the world's most used list? Passwords can't live without them, oh, hold on, actually you can. Passkeys are way more secure, and increasingly, platforms, products, and services are making them available to users. That's the good news. The bad news is that, for hundreds of millions of users supposedly securing billions of accounts, weak and easily compromised passwords remain the reality. With lists of such compromised passwords readily available on the criminal underground and even the surface web, using one of the 200 most commonly used, and therefore most dangerous, passwords is tantamount to handing the keys of your account to hackers. If your passwords are on this list, they most certainly are getting in. 2.5TB Credentials From 44 Countries Database Analyzed — 200 Most Dangerous Passwords Revealed There is no shortage of compromised and leaked password lists floating around the web, dark or surface, if you care to go and look. And, believe me, threat actors know exactly where to find the most valuable of them, available in credential-stuffing, password spraying, format for a small fee. That, dear reader, is the sorry state of login security today. It's why the likes of Google are urging users to replace passwords with passkeys. If you can't, and you are stuck with using passwords, then, please, at least make them long, strong and secure. Use a password manager to create random password strings that are too complex for you to remember, because you won't have to remember them. Use passphrases; use anything other than the 200 dangerous passwords on this list. Compiled jointly by NordPass and NordStellar, the 200 most used and dangerous passwords to use list emerged from an analysis of a 2.5TB database of passwords found on the dark and surface webs, across 44 countries in total, and stolen by malware or exposed in data leaks. 'We focused only on the statistical information,' the researchers said, 'so no personal data from internet users was included in this research.' Let's tease the results out a little by starting with the 10 most dangerous passwords that were attributed to U.S. users: Interestingly, this features nine of the ten most used passwords globally, but in a different order. The only unique password, as far as the U.S. is concerned, was the (not so) highly original password1. A rubbish password that featured at number 17 in the global list. OK, so let's move on to the global list, of which I'll just focus on the first 50 — please use the already provided link to access the full database of 200. Needless to say, if any of your passwords appear here, or in the full list, then change them as a matter of some urgency, and while doing so, give your neck a wobble for using them in the first place. What were you thinking?
CNET
04-07-2025
- Business
- CNET
23andMe's Data Breach Settlement Could Net You Free Money: Here's How
Hackers used a credential stuffing attack to gain access to 23andMe accounts in October 2023. Getty Images/Viva Tung/CNET Ever used 23andMe? If you have, you might be able to get paid as part of the company's ongoing class-action settlement, but you'll have to move quickly, since it closes in less than two weeks. It's been a tough few years for the once-popular ancestry-tracking service, which was struck by a prolonged data breach that allowed hackers to gain personal data for about half of the company's 14 million customers in 2023. The company has struggled ever since then, and filed for bankruptcy in March 2025. It is now being acquired by TTAM Research Institute, a nonprofit led by 23andMe co-founder Anne Wojcicki, which outbid Regeneron Pharmaceuticals. The San Francisco-based company, which allows people to submit genetic materials and get a snapshot of their ancestry, announced in October 2023 that hackers had accessed customer information in a data breach. A January 2024 lawsuit accused the company of not doing enough to protect its customers and not notifying certain customers with Chinese or Ashkenazi Jewish ancestry that their data had been targeted specifically. It later settled the lawsuit for $30 million. "We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all US claims regarding the 2023 credential stuffing security incident," a 23andMe spokesman told CNET. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement." A few months after that decision, there's now an official method available to make a claim and potentially get paid by 23andMe, in some cases as much as $10,000. Keep reading to get all the details you need, and for more, find out why T-Mobile settlement checks have been delayed and discover whether you can claim a piece of Apple's Siri privacy settlement. How many people did the 23andMe data breach hit? The settlement could cover roughly 6.9 million 23andMe customers whose data was targeted. To qualify, 23andMe customers must also have been US residents as of Aug. 11, 2023. That 6.9 million number includes around 5.5 million customers of 23andMe's DNA Relatives profiles, which lets people find and connect with genetic relatives. The other 1.4 million people affected by the breach used another service known as Family Tree, which predicts a family tree based on the DNA users share with relatives, 23andMe said. How much money could I get from the settlement? At the top end, 23andMe has said it would pay out up to $10,000 with an "Extraordinary Claim" to each customer who can verify that they suffered hardships as a direct result of their information being stolen in the data breach that resulted in unreimbursed costs. This includes costs from "identity fraud or falsified tax returns," acquiring physical security systems, or receiving mental health treatment. Residents of Alaska, California, Illinois and Oregon who were affected by the data breach can also apply for a payment as part of the proposed settlement, since those states have genetic privacy laws with damages provisions. The payments for these individuals are expected to be around $100, depending on how many people file for them, a settlement document said. Also, a smaller subset of affected users whose personal health information was impacted by the breach will be able to apply for a payment of $100. Infographic: Gianmarco Chumbe/CNET. Photo:Will the 23andMe settlement include anything else? Beyond those payments, 23andMe will also offer impacted users three years of a security monitoring service called Privacy Shield, which filings described as providing "substantial web and dark web monitoring." How can I file a claim for the 23andMe settlement? To file a claim electronically, you can use this official online portal from the Kroll Restructuring Administration. An additional online form is available if you would like proof of your claim sent to you. Potential claimants can also download and print out hard copies of the claim form and proof of claim form if they wish to submit them by mail. If you plan to use this method, send your forms to one of the addresses listed on the claims website. The deadline to make a claim is July 14. For more, you can read about how class action lawsuits work.
CNET
04-06-2025
- Business
- CNET
Why Good Passwords Matter: 2,800 North Face Accounts Breached in Cyberattack
This cyberattack shows why you shouldn't reuse passwords. Getty Images If you just got an email from The North Face saying that your account has been compromised, it's probably because you phoned it in when it came to setting your password on its website. The outdoor apparel and equipment brand is notifying more than 2,800 of its online customers that their personal information was stolen in an April credential-stuffing attack on its website. That attack comes on the heels of recent cyberattacks on fellow retailers Victoria's Secret, Cartier, Adidas and Marks & Spencer. According to a notification filed with the state of Maine, North Face detected unusual activity on its site on April 23. An investigation revealed that an attacker had launched a "small-scale credential-stuffing attack" against the site. In that type of attack, cybercriminals attempt to use massive sets of previously exposed logins and passwords to access online accounts. If a customer has used the same login and password for the attacked site, their account could be at risk of compromise. Conversely, setting different passwords for all of your accounts limits the potential damage from this kind of attack. According to the state of Maine notification, 2,861 North Face accounts were affected by the April attack. The company said it disabled the passwords for those accounts and customers will be required to set new ones when they log back in. Customers were also advised to set new passwords for any other account where they might have used the same password. "We do not believe that the incident involved information that would require us to notify you of a data security breach under applicable law," North Face said in its customer-notification letter. "However, we are notifying you of the incident voluntarily, out of an abundance of caution." Gaining access to a customer account could give the attackers access to information including customer names, dates of birth, phone numbers, email addresses and shipping addresses, if those pieces of information were saved to a customer's account, along with shopping preferences and past purchases, North Face said. Credit and banking card information, including card numbers and expiration dates, were not exposed in the attack, the company said, because it doesn't store that kind of information on its site. Instead it uses a secure token that links a customer's account to a third-party payment processor. How to protect your personal data in case of a breach Set strong passwords. All of your online passwords should be long, random and unique. In the case of the North Face breach, the customer accounts were compromised because the customers had used the same password for another account that was previously compromised. Yes, setting different, strong passwords for all of your accounts can be a lot of work. If you need help, try a password manager. Always, always use two-factor authentication whenever possible. This protects your account with a second identifier like a biometric indicator or a push notification sent to your phone, making it a lot harder for an attacker to get in even if they have your password. Limit the data you store in online accounts. Sure, it's convenient to save your name, address and credit card information in your account for your favorite online store, but the more information you hand over, the more it's at risk for theft. Think about checking out as a guest and if you're done shopping with a particular retailer, think about deleting your account entirely. Change compromised passwords right away. It's no longer considered a best practice to change your passwords every 90 days or so. If you set a good one, you can largely leave it be. But if you do hear that it's been compromised, don't dawdle in setting a new one. Be on guard for phishing attempts. The more information cybercriminals have about you, the better they can craft phishing attempts aimed at stealing your money or personal data. Artificial intelligence tools are making this easier than ever. All unsolicited emails, texts and social media ads and messages should be looked at with skepticism.
