This Risk Alert highlights “credential stuffing” — a method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.
The Office of Compliance Inspections and Examinations (“OCIE”) has observed in recent examinations an increase in the number of cyber-attacks against SEC-registered investment advisers (“advisers”) and brokers and dealers (“broker-dealers,” and together with advisers, “registrants” or “firms”) using credential stuffing. Credential stuffing is an automated attack on web-based user accounts as well as direct network login account credentials. 1 Cyber attackers obtain lists of usernames, email addresses, and corresponding passwords from the dark web2 and then use automated scripts to try the compromised user names and passwords on other websites, such as a registrant’s website, in an attempt to log in and gain unauthorized access to customer accounts.
