This Div is a JS Trigger
Issue 57 | May 2019


This newsletter includes information to help lawyers reduce the likelihood of being sued for malpractice. The material presented is not intended to establish, report, or create the standard of care for lawyers. The articles do not represent a complete analysis of the topics presented, and readers should conduct their own appropriate legal research.
New cyber risk: Credential stuffing

As cyber risks continue to emerge, so too do the names used to describe them. Here is a new one – credential stuffing.

This is when someone takes another’s username and password and tries it on a variety of websites such as banks, gaming sites and other online services such as PayPal or uber to see if they can get access. The theory is that people use the same username and password for multiple services. For many this assumption is correct because we don’t like having to remember multiple passwords.

The value of the username / password combination is not in that information per se. Rather, the value is in the verified access to websites that information provides. Those who get this information use algorithms to try the combination on multiple websites and record successes. In other words, accounts are being illegally accessed because of data breaches arising elsewhere.

A recent report by Akamai discusses this threat noting nearly 30 billion credential stuffing attacks in 2018, each attack being an attempt to log into an account with a stolen or generated username and password. The goal is to validate the credentials. From this report, Canada currently ranks third for both sources of attack and attack destinations.

The importance of unique passwords, password managers and multi-factor authentication cannot be understated. It is almost to the point where the convenience of technology is being undermined by the efforts one has to take to protect their information.

Here are some password tips courtesy the U.S. Department of Homeland Security.