Yahoo Breach May Have Led to ‘Credential Stuffing’

Real-life version of a Mr. Robot episode has many subplots.

Raphael Satter, born in the Midwest, has been a Europe-based reporter for Associated Press since 2006. Today, he’s delivered a scary look at the Dark Web ramifications of that massive Yahoo hack.

The theft of some 500 million website user data sets occurred in late 2014. Over that holidays and into 2015, it likely spawned something known as “credential stuffing:”

This cybercriminal technique works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.

Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajumder, the chief technology officer of Mountain View, California-based Shape Security. That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.

From a yodel… to a wail. Read the rest of Satter’s piece here.