Kasada was recently in the news after identifying a credential stuffing campaign targeting Australian retail, fast food, and entertainment outlets. The discourse around this type of reporting – and responses from affected companies – usually contain the same few statements: “A small number of accounts were affected” and “Customers should ensure they do not reuse passwords across multiple sites.” This shifting of risk to affected customers, regardless of the number of accounts impacted, highlights a tension within cybersecurity, that of balancing security and usability.
Security is a team sport. When everyone plays their part, we raise the effort required for a criminal group to successfully bypass security controls. Credential stuffing and account takeover attacks are often the visible effects of someone not playing at the top of the game.