Digital identities are embedded in our lives, and their expansiveness makes it harder and harder to protect our accounts and business systems from attacks. The body of data stolen by criminals and traded between bad actors has continued to scale dramatically, year over year.
To further complicate an already complex threat landscape, malicious actors are moving beyond the traditional use of stolen username and password pairs to perpetrate crimes against consumers and organizations. In targeted attacks, actors have developed the capability to search for information about their victims across many distinct stolen datasets.
Using expanded datasets, criminals have dramatically increased the scope of their attack patterns, based upon identity records that come from different sources and that can be linked together using PII, like social security numbers or social handles. In this way, users now have to worry about their combined digital identity, which can be formed by cross-referencing all of the information that has been stolen about them from dozens or hundreds of sources.
To make matters even worse, criminals have responded to improved authentication technologies by sidestepping user authentication methods altogether. Bad actors can access stolen session cookies and 2FA secrets to impersonate their victims, making it extremely difficult to differentiate between legitimate users and criminals.