The Securities and Exchange Commission’s exam division is warning about an increase in cyberattacks against advisors and broker-dealers. These involve “credential stuffing,” in which bad actors target client accounts via compromised client login credentials and can result in loss of customer assets and unauthorized disclosure of personal information.
The agency’s Office of Compliance Inspections and Examinations has observed the credential stuffing in recent exams.
Cyber attackers, the OCIE Risk Alert states, obtain lists of usernames, email addresses and corresponding passwords from the dark web.
Then they use automated scripts to try the compromised user names and passwords on other websites, such as a registrant’s website, in an attempt to log in and gain unauthorized access to customer accounts.
“Credential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks,” the alert states.