Exploit: Credential Stuffing
Company: MoneyLion
Industry: Financial, Fintech
Source: https://www.doj.nh.gov/consumer/security-breaches/documents/moneylion-20210927.pdf

Customers of the financial services platform MoneyLion were recently targeted by a credential stuffing attack. Affected users of the mobile banking and investing app were informed their accounts were locked after “an unauthorized outside party appears to have been attempting to gain access to (their) account on the applications.” The breach notice sent to the New Hampshire Attorney General’s office further stated that threat actors were using “an account password and/or possible email address that appears to have been potentially compromised in a prior event,” to gain access to targeted users’ accounts. In other words, cyber criminals were using a large collection of leaked combinations of usernames and passwords found from security breaches involving other online platforms in hopes of finding those that reuse password credentials over multiple accounts.

MoneyLion’s breach notice stated the attacks took place over a span of several weeks between June and July of 2021. The organization is assuring the attorney general and their clients that no evidence of a data breach has occurred, and no user information was stolen. However, MoneyLion is taking precautionary measures on top of locking accounts to force users to reset their credentials including enabling multi-factor authentication to logins and urging users to remain vigilant for any signs of fraud.

Protect Your Business Against Modern Cyber Threats

More than ever, organizations of all sizes have been facing a historical rise in cyber attacks and data breaches. Talk to a cyber security expert today and find out how we can provide expert consulting and a portfolio of Cyber Security solutions designed to protect your organization against today’s most prevalent threats.