P2021-ND-085

In January 2019, the Organization determined that its Canadian consumer-facing website, https://mcmbcrs.transunion.ca had been the target of a “credential stuffing” attack. The Organization investigated and, in February 2019, found that failed login attempts could be traced back to credential stuffing by an unknown and unauthorized third party. The Organization reported the attacker appears to have directed a cache of valid and invalid credentials at its systems for the purposes of identifying which credentials worked and which did not. Some of the credentials ended-up being valid (i.e. they were the same credentials that the user had also used on a third party’s system) and these credentials were then used to access user accounts illegally and without authorization. The Organization reported the attacks appear to have started no earlier than February 2018, and from the investigation it appears that access was generally obtained on a one-off basis.

File Type: pdf
File Size: 188 KB
Categories: 2021