Edit: yeah it’s just a brute force with less steps. That’s fuckn embarrassing
“Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.”
Just because this method is a subset of the brute force attack doesn’t mean that they don’t have request limiting. They are reusing known breached passwords from other platforms, which makes it basically a guarantee that they will get the right password if they don’t use a password manager. Their computer systems are secure, it’s just their business model that’s a privacy nightmare.
So they brute forced the login?
No request limiting?
Wtf
Edit: yeah it’s just a brute force with less steps. That’s fuckn embarrassing “Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.”
Just because this method is a subset of the brute force attack doesn’t mean that they don’t have request limiting. They are reusing known breached passwords from other platforms, which makes it basically a guarantee that they will get the right password if they don’t use a password manager. Their computer systems are secure, it’s just their business model that’s a privacy nightmare.
I mean true, there’s nothing you can do with a successful attempt.
But i feel like this still could have been limited. Required 2FA obvi comes to mind… You can limit rate in a lot of ways.
Limits aren’t a concern if you’re controlling a bunch of zombies. The big guys usually have thousands if not hundreds of thousands of 'em.
Mandatory 2FA.
Easy.