A password list attack is a type of cyberattack where attackers use a precompiled list of IDs and passwords, often obtained through vulnerabilities in other sites, to attempt unauthorized access to enterprise or organizational websites. This method is also referred to as "account list attacks" or "list-based account hacking."
Attackers typically obtain these ID-password lists from insecure websites or systems. For example, if an attacker gains access to an e-commerce account using stolen credentials, they may steal personal information or misuse stored credit card details. Victims of password list attacks may face financial losses from unauthorized withdrawals or fraudulent transactions.
Causes of Password List Attacks
- Reusing IDs and Passwords: Many users reuse the same credentials across multiple services, making it easier for attackers to compromise multiple accounts.
- Phishing Attacks: Attackers may obtain credential lists through phishing, where users are tricked into entering their credentials on fake but convincing websites.
Differences from Other Cyberattacks
Password list attacks are often confused with the following attack types:
- Brute Force Attacks: Systematically guessing passwords by trying every possible combination.
- Dictionary Attacks: Using a predefined library of common passwords or word combinations, such as names or phrases.
- Password Spraying Attacks: Using a single password to attempt login across many accounts simultaneously, avoiding account lockout mechanisms.
Password list attacks are particularly difficult to detect because they involve fewer login attempts per account compared to brute force attacks.
Examples of Real Incidents
- QR Code Payment Systems: In July 2019, the "7pay" QR code payment service in Japan suffered financial damages due to unauthorized access, suspected to involve password list attacks, leading to the service's closure.
- Bank Deposits: In September 2020, NTT Docomo faced fraudulent withdrawals from bank accounts through its "Docomo Account" service using stolen credentials.
Impacts of Password List Attacks
- Unauthorized Withdrawals and Payment Fraud: Stolen credentials can result in unauthorized access to bank accounts or credit card misuse.
- Data Breaches: Victims may experience leaks of sensitive personal or corporate information.
- Impersonation on Social Media: Unauthorized access to social media accounts can lead to reputation damage via fake posts or messages.
- Legal Liabilities for Service Providers: Companies may face civil and criminal liabilities due to poor security measures, resulting in costly damage control.
- Loss of Public Trust: Breaches can harm the company’s reputation and reduce user trust in its services.
Preventing Password List Attacks
Both individuals and organizations must implement strategies to prevent these attacks:
- Avoid Reusing Credentials: Users should use unique IDs and passwords for each service, while service providers should educate users about this practice.
- Monitor Login Attempts with WAFs: Employ web application firewalls (WAFs) to detect suspicious login activity, such as multiple attempts from the same IP or unusual locations.
- Implement Two-Factor Authentication (2FA): Adding an additional authentication step, such as sending a one-time password via email, helps prevent unauthorized access even if credentials are compromised.