Hackers using “push  bombing” to bypass your MFA/2FA

Hackers using “push bombing” to bypass your MFA/2FA

beware of push bombing

Multifactor authentication (MFA) is the gold standard in offices around the world and 2FA is the standard for end users. We all know the drill: you use your username (often your email address) and, perhaps, as the password, the name of your first dog and your kids DOB.

Not very foolproof, and not recommended, but often the end user isn’t too worried. In their mind, they know that if the hacker does figure out their crappy password using various tools or techniques, they still must find their way past the 2FA/MFA layer of security.

Beware of “push bombing”

However, what you may not realize is that hackers have developed many tried-and-true methods for circumventing your 2FA/MFA security, including social engineering attacks, spear-phishing, and DDoS attacks. And there is another favorite tool hackers have at their disposal, and it relies on users being tired, frazzled, or annoyed enough to “cave in.”, which is especially prevalent in the lead-up to the holiday season.

Users and organizations frequently implement multi-factor authentication (or 2FA) that uses push notifications to protect their employees and customers. The process is simple: you type in your password, receive a notification that is “pushed” to your smartphone, and approve the access. Many Identity Providers (IdPs) and MFA products work in this way. The problem with push notification MFA is that, like most things, it can be exploited.

  • The 2022 Passwordless Security Report found that push attacks grew 33% year over year
  • Push attacks are a favorite tactic of  Nobelium, the Russian hacking group behind the massive Solar Winds supply chain attack 
  • The recent attacks by the Lapsus$ hacking group underscore the level of risk push notification MFA creates for organizations.

what is the difference between 2FA and MFA

What Are Push Attacks?

Push attacks (also called push bombing attacks, push fatigue attacks and MFA-prompt bombing) are used by malicious actors to get past push notification MFA. The attacker is usually already in possession of a valid username and password. With 15 billion stolen  passwords available on the dark web, this is trivial. The attacker spams the victim with notifications to authenticate until they are fatigued and finally accept it. When deployed on a mass scale using automated attack tools, even a 3% success rate is significant. 

How Does a Push Attack Work?

Consider this: what happens when you’re busy, immersed in your work, and you receive a notification on your phone to approve?

Do you always read the notification? How likely are you to casually approve a message or prompt out of habit, just to get on with your day? Would a less tech-savvy user in your organization tap “Approve” on their mobile app, even if it was a fake push notification? 

The reality is that they are very likely to do so. Push notifications have become so numerous that people often hastily approve them — not knowing or understanding the repercussions this can have on their work environment. In 2018, malicious actors exploited this tendency toward “push fatigue” multiple times in concert with phishing tools to target politicians involved in the economic and military sanctions against Iran. More recently, large swaths of Microsoft 365 users were targeted in a push attack campaign.

Push Attack Vulnerability Factors

Sending fake approval messages to a user is nothing new, we’ve seen them take the form of SMS phishingfake login pages and of course the classic Google Drive email attachment.

Push notification attacks take advantage of a few key factors:


The attackers prey on a particular lack of awareness on the user’s part. Many people outside the Security Operations Center (SOC) don’t even know this is happening. Companies invest heavily in security education to protect employees from falling victim to password phishing and more traditional attacks. It’s going to be a while before the push attack problem is part of users’ daily vocabulary.


Push-based approvals are often introduced to the enterprise along with an MFA app such as SalesForce Authenticator. The user associates the action of approving a request with a security feature. Given this, It’s understandable that people aren’t quick to be suspicious of this functionality.

Cognitive Overload

Between texts, emails, Spotify alerts, etc., our smartphones are overloaded with notifications. There is simply too much information to process — and hackers take advantage of this overload. Users who receive dozens or even hundreds of notifications a day are not likely to think too hard about them. The likelihood of a single rogue login approval being overlooked or approved by accident is low, but at scale, it becomes a very promising attack vector.

Compromisable Push Notification MFA

Of course, the elephant in the room in common here is the fact that standard push notification MFA is inherently flawed and increasingly being used as an attack vector.

Can You Prevent Push Attacks?

The good news is that you can use alternative authentication flows that better secure you or your users, increase your login speed and provide a smoother user experience.

These attacks are generally going to be targeted at employees of organizations they want to gain access, rather than individuals.

If you are just and end user, looking to protect access to your online services and accounts, the easy solution is to not use an MFA/2FA solution that simply requires you to tap “approve” on your mobile device (such a Windows Hello or Android authentication), which gives access to anyone who is asking.

Instead use a solution that actually requires you to interact with the service/website that you are logging into, such as entering a One-Time-Password (OTP) from your authenticator app or confirming an on-screen code that you will only know if you are one logging in.

This will stop you from simply approving a malicious actors requests, either accidentally or through fatigue,

For corporate solutions, read on.

Taking a User-First Approach to Authentication

One solution is to deploy mobile-initiated authentication at the front door to your corporate experience: your computer.

When you combine user-first login with desktop SSO, you can achieve a very high level of assurance for desktop login, web applications and Single sign-on. It’s more secure than a push-based login and it gives you instant access across SSO-protected apps and corporate resources.

For example, with HYPR True Passwordless™ MFA, your smartphone acts as a remote control for your computer. You tap on the HYPR mobile app to select your computer, provide your preferred biometric or decentralized PIN and gain access to your desktop. 


User-initiated authentication for desktop SSO addresses multiple threats:

  • Clarifying Intent: The login action is initiated by the user. This requirement signals a clear intent to login. Moving the first step from the desktop to the smartphone keeps a malicious actor from spamming the user with requests to access their workstation, and subsequently, all of their corporate resources.
  • Stops phishing: Login of this kind is phishing resistant, preventing you from inadvertently approving any access request because it’s an active process that begins on your smartphone. Access is granted only when you make the conscious decision to unlock your smartphone.
  • Elimination of passwords: HYPR’s mobile-first login does not utilize passwords. Going passwordless also means you’ll worry less about credential stuffing, brute force, and SIM-swapping attacks that are common among legacy, password-based MFA solutions.

MFA By Design

The mobile-initiated login method is multi-factor by design. It provides factors for:

  • Something you are: your fingerprint, face scan, or other biometric recognition. 
  • Something you have: your smartphone, which acts as a physical FIDO token, similar to a smart card.
  • Something you know: a decentralized PIN that’s also stored safely on your device.

Now that the user has strong authentication into their computer, your SSO provider can extend that strong binding to provide seamless access into other resources across the enterprise without additional friction.

Log into SSO With QR Code

Passwordless MFA that supports QR code scanning provides the strongest protection against push attacks. This eliminates push notifications entirely, even for direct SSO login. QR Login feature lets users log into their SSO-managed web apps by scanning a QR code with the App or camera on their smartphone.


This prevents push fatigue and its potential for push attacks. It gives more control to the end-user as they initiate their authentication by scanning the code rather than waiting for a push notification to arrive on their smartphone. QR Code login is also an inherently multi-factor as it utilizes something you have (your phone) and something you are (biometric validation). 

Preventing Push Attacks: Key Takeaways

With push notification MFA, organizations are relying on the weakest link known to security — people. It’s human nature to take the path of least resistance, including recklessly accepting push notification authentication requests so we can continue on with our day. 

As cyber threats evolve, so must our security solutions. Here are key takeaways to help your organization steer clear of push attacks:

  • Push-based MFA is subject to bypassing commonly used tools such as Modlishka and phishing. 
  • Initiating login on the user’s smartphone creates a phishing-resistant flow so your employees cannot be tricked into logging into the enterprise. 
  • Mobile-initiated login at the desktop is inherently multi-factor, this means you can leverage your SSO provider for instant access to cloud and web applications. 
  • QR Code login to SSO eliminates push notifications entirely from the authentication process.
What is the difference between 2FA and MFA ?

What is the difference between 2FA and MFA ?

2fa vs mfa what's the difference

Cybersecurity is a complex topic and if you are the average layperson, you likely have found yourself asking “What is the difference between 2FA and MFA “.

In simple terms, Two-Factor Authentication (2FA) requires users to demonstrate exactly two distinct methods of authentication, whereas Multi-Factor Authentication (MFA) requires users to demonstrate a MINIMUM of two distinct methods of authentication but can be more. So, all 2FA is MFA, but not all MFA is 2FA.

If you are new to the world of cybersecurity, terms such as MFA and 2FA may appear rather cryptic to you. Sometimes MFA and 2FA are used interchangeably, but although similar, they are not the same thing. Both acronyms have been in wide use for years and happen to be an inseparable part of online security, so let’s once and for all clear up the confusion around MFA and 2FA.

Preliminary Definitions

In order to fully comprehend what MFA and 2FA are, you have to understand two concepts: that of authentication and that of a factor of authentication.

Authentication is a process during which a security system decides if the person who tries to log in is exactly who they claim to be.

The preceding definition entails that a security system has to find a way to ensure that the person who tries to log in as Bob is indeed Bob and not someone pretending to be Bob. The security system should not grant access to some oher person using Bob’s credentials. So how can a security system know that the person is Bob?

Well, Bob has to successfully present adequate evidence of his identity and then and only then will he be granted access.

A factor of authentication is a piece of evidence that a user has to present to prove they are who they claim to be. 

The three basic Factors of Authentication are:

  • Knowledge Factor – represents what you know, e.g. a password
  • Possession Factor – represents what you have, e.g. a phone, a security token
  • Inherence Factor – represents who you are, e.g. your fingerprint or eye retinal pattern

MFA vs. 2FA

Multi-Factor Authentication (MFA) is a type of authentication that requires two or more factors of authentication.

Two-Factor Authentication (2FA) is a type of authentication that requires exactly two factors of authentication.

Two-Factor Authentication is, therefore, a subset of Multi-Factor Authentication, and the following two sentences are true:

  • Every Two-Factor Authentication is Multi-Factor Authentication
  • Not every Multi-Factor Authentication is Two-Factor Authentication
What is the difference between 2FA and MFA ? 1 cybersecurity

Why Is One Factor Not Enough?

The Knowledge Factor is the most commonly used factor of authentication. A password you enter every time you log in to an application is an example of the Knowledge Factor. Unfortunately, passwords have long proved insufficient in the contemporary world. Simply put, passwords are not secure enough.

Cybercriminals invented a wide range of methods to intercept and hack somebody’s password, from phishing to keylogging, to rainbow table attacks. If passwords are your sole line of defense against unauthorized access, then you better enable Multi-Factor Authentication in your workforce before it’s too late along with a password manager.

How Introducing More Factors Improves Security?

MFA adds more factors of authentication and therefore eliminates security threats associated with low security of passwords. You can think of every factor as an additional lock, with varying levels of difficulty of breaking them. If you introduce Two-Factor Authentication (2FA) to your users’ login experience, then even if a malicious third party manages to break the weak lock (password), they will not be able to open the door because the strong lock (e.g. the Mobile Push authentication request method) will stop them.

The Mobile Push authentication method is an example of the Possession Factor. Mobile Push is one of the methods your users can use if they install a mobile authentication app. Assuming the attacker already broke your password, now they have to steal or gain remote access to your phone, which isn’t impossible but much harder than cracking a password. Stealing or gaining access to your phone requires additional steps on the attacker’s side, which in turn means more time for you to react. Simply tapping DENY on your phone will stop any malicious attempt at breaking into your account.

The Best Authenticator Apps for 2022

PC Mag

Human Error And More Factors of Authentication

Nobody’s perfect. It’s human to err. Sometimes you work under stress or pressure and it’s so easy to get distracted. Attackers know this and they will try to attack you when you are the weakest. You can make a mistake that will cost you your data and money. Two-Factor Authentication significantly mitigates the probability of human error but does not eliminate it. Introducing yet another factor of authentication will make your authentication even stronger and the chances of human error are negligible.

One way to further reinforce your MFA is turning on fingerprinting in your Authenticator.

With fingerprinting turned on, your Mobile Push Multi-Factor Authentication may look as follows:

What is the difference between 2FA and MFA ? 2 cybersecurity

Again, adding more factors of authentication is like adding more locks to your door, each lock harder to crack than the other. In the login example above, three factors of authentication were used:  Knowledge Factor (password), Possession Factor (phone), and Inherence Factor (fingerprint). Since three factors were used, the preceding is an example of Multi-Factor Authentication but not Two-Factor Authentication.

Enable MFA/2FA Now

To reiterate, MFA involves introducing more factors of authentication to the process of authentication. 2FA is a subset of MFA that involves using exactly two factors of authentication. Using just one factor in the form of a password is not secure enough, and that’s why you have to enable Multi-Factor Authentication in your company.

Time is of the essence. Now that you understand what MFA/2FA is and know how insecure using only passwords in your company is, enable MFA before it’s too late! Improving security should be your number one concern now.

Also see: Why you should be using a password manager.

Russ Michaels
Improve your Google Chrome security (it’s not secure by default)

Improve your Google Chrome security (it’s not secure by default)

improve google chrome security

Google Chrome is about as common in office spaces as a water cooler or a coffee maker.

Chrome is also becoming king elsewhere, unless the systems are Macs, and Safari is the browser of choice. With its minimalist, crisp interface and Google brand, most people are quickly satisfied. Even MSPs, with too many other things to handle and not enough people to handle them, can also be sometimes lulled into Chrome complacency.

Google is great for its ease of use, but that also makes things easier for hackers to get they hooks in – whether they be outside or even inside jobs.

One area where you really need to take care is to ensure that passwords don’t get saved in the Google browser or ineed any browser. If you are not currently using a password manager, then it is highly likely you are already doing this. While it may be a convenience for the home user that supersedes the security risks, it’s just not worth the risk in an business environment.

if your system gets infected with malware, it can extract all your passwords right out of the browser and you will likely never even know it happened. This happen far more then you might realise.

You have also surely heard of all the support scams, which have been on the rise since convid. Where someone posing as tech support from Microsoft, Google, Amazon etc remotely connects to your PC and scams people and often installs malware at the same time.

These scammers can easily steal all your passwords from your browser, or indeed even a legit person providing remote support may innocently poke around and see passwords stored, the temptation is then there to do something bad.

It is recommend to disable the chrome password storage and instead start using a proper password manager.

New security update from Google

Chrome is not a static product, Hodges points out. People install Chrome on their computers and think it is a one-and-done exercise, but it is not. The algorithms and behind-the-scenes ecosystem are constantly in flux, creating openings for cybercriminals. Recently, Google attempted to tamp down on one discovered opening. They released a security update with an urgent patch on February 14 for Chrome, with the goal of fixing several security issues.

According to Google, “This new Chrome version fixes several security issues, one of which is being exploited actively.” Google did not mention how widespread the attacks are, but Chrome users are highly encouraged to update to the latest version as soon as possible. The security issue is only found on versions of Chrome earlier than 98.0.4758.102.

A hotspot for security vulnerabilities

Though, most recently, an alert was part of a slew of vulnerabilities discovered. Chrome announced earlier in February that it found 27 issues, eight being “high risk”: meaning hackers could exploit to load malware, steal data, or unleash ransomware. The problems could impact Windows, Linux, or Mac users. These issues come on the heels of a slew of Chrome vulnerabilities discovered last fall, making zero-day attacks more likely.

Tech Times says that “the Chrome browser has recently become a hotspot of different vulnerabilities,” in an article that outlines the specific vulnerabilities and their fixes.

IT is recommended to perform an annual “Chrome Audit” to see who is using it as the main browser on their workstations. Once an inventory is made, those Chrome stations should be put on monthly maintenance to fix vulnerabilities and ensure that saved passwords are cleared, and fixes are implemented.

Make Chrome a safer place

Another ongoing challenge for business owners and MSPs, is the need to work towards is user training. Even though Chrome is not infallible, it still falls upon the user to make smart decisions and not make it even easier for a hacker to get their hands-on information.

Other actions you can take to make Chrome safer include enabling Chrome’s Enhanced Protection (instructions further down). Chrome’s default is the standard browsing experience, but you can switch to the enhanced protection setting, which offers many more security features such as:

  • Blacklisting: If employees visit certain sites prone to problems, then block them.
  • Two-Step Verification on Google Accounts: This adds another layer of built-in security. This can be especially valuable when battling internal office threats, says, a rogue employee trying to access a unit that they shouldn’t be.
  • Extensions: As part of a Chrome audit and maintenance program, make sure unnecessary and unwanted extensions are removed.
  • Script-Blocking: This is a handy feature that will prevent ad-loading and malware-laced video programs from loading.
  • Set Chrome to Default: When in doubt, do a full reset to get rid of unwanted extensions.

A combination of actions by you or your MSP and better education for end-users is a potent mix. Videos, malware, advertising, streaming, and other potentially threatening elements from outside, can converge to make Chrome a very dangerous place without some basic precautions. MSPs are in a good spot to implement these safeguards.

The thing with Chrome is that it is so universal, so widely accepted, that people just get too complacent. Hackers know that and exploit that comfort.

Disable password storage in your browser


To stop Chrome from asking to save your passwords:

  1. Click the Chrome menu    in the toolbar and choose Settings.
  2. Click Autofill > Passwords.
  3. Turn off “Offer to save passwords”.
Turn off 'Offer to save passwords' on the password settings page in Chrome


If you’ve saved passwords in Chrome, you can easily import them into most password managers to make sure they’re safe. Then you can delete your saved passwords from Chrome.


To stop Firefox from asking to save your passwords:

  1. Click the Firefox menu    in the toolbar and choose Options.
  2. Click Privacy & Security.
  3. Turn off “Remember logins and passwords for websites”.
Turn off 'Remember logins and passwords for websites' on the Privacy & Security page in Firefox

Microsoft Edge

To stop Edge from asking to save your passwords:

  1. Click the Edge menu    in the toolbar and choose Settings.
  2. Click Passwords.
  3. Turn off “Offer to save passwords”.
Turn off 'Offer to save passwords' on the password settings page in Microsoft Edge


To stop Brave from asking to save your passwords:

  1. Click the Brave menu    in the toolbar and choose Settings.
  2. Click “Additional settings”, then click Auto-fill.
  3. Click Passwords.
  4. Turn off “Offer to save passwords”.
Turn off 'Offer to save passwords' on the password settings page in Brave

Internet Explorer

To stop Internet Explorer from asking to save your passwords:

  1. Click the Settings menu  and choose “Internet options”.
  2. Click the Content tab.
  3. In the AutoComplete section, click Settings.
  4. Turn off “Forms and Searches” and “User names and passwords on forms”, then click OK.
Turn off 'Forms and Searches' and 'User names and passwords on forms' in the Internet Explorer settings

What Is Enhanced Protection in Google Chrome?

Google Chrome’s Enhanced Protection is a browsing security feature that substantially increases safety on the web against dangerous downloads and websites. 

If you’re signed into Chrome and other Google apps you use, you can get improved protection based on the attacks against your Google account and threats you encounter on the web.

Plus, if you rely on Chrome extensions to help you improve your browser experience or be more productive, Enhanced Protection helps you choose safer extensions before installing them on your device.

Enhanced Protection is different from the Standard protection on Chrome, which only offers warnings about potentially risky sites, extensions and downloads. Plus, with Standard protection, you can select whether to get warnings about password breaches or improve security on the web by sending more information to Google.

Improve your Google Chrome security (it's not secure by default) 3 cybersecurity

Specifically, Enhanced Protection enables the following: 

  • Displays a dialog that alerts you whether the extension is trusted or not. Trusted extensions are those that are built by developers who follow the Chrome Web Store Developer Program Policies
  • Predicts and notifies you about dangerous events before they occur.
  • Increases your safety on Chrome and can be used to improve security in other Google apps you’re signed into.
  • Warns you if login credentials are exposed in a data breach.
  • Offer better protection against risky files you download on the web. Enhanced Protection uses metadata about the file to determine if it’s potentially suspicious and warns you about it. 
  • Send additional information to Google about your activity.

How to Enable Enhanced Protection in Google Chrome

Enhanced Protection is available for Chrome on mobile and desktop. The steps to enable the feature are similar on both platforms. 

Enable Enhanced Protection on Desktop

You can enable Enhanced Protection on your computer and increase your safety while browsing the web. 

  1. Open Chrome browser and select More.
Improve your Google Chrome security (it's not secure by default) 4 cybersecurity
  1. Select Settings
Improve your Google Chrome security (it's not secure by default) 5 cybersecurity
  1. Select Security under the Privacy and Security section.
Improve your Google Chrome security (it's not secure by default) 6 cybersecurity
  1. Next, select the Enhanced protection
Improve your Google Chrome security (it's not secure by default) 7 cybersecurity

Enable Enhanced Protection on an Android Device

Enhanced Protection isn’t limited to desktop devices only. You can also enable the feature on your Android phone or tablet. 

  1. Open Chrome and tap More (three dots).
Improve your Google Chrome security (it's not secure by default) 8 cybersecurity
  1. Next, tap Settings
Improve your Google Chrome security (it's not secure by default) 9 cybersecurity
  1. Tap Privacy and Security.
chrome: privacy and security
  1. Next, tap Safe Browsing.
chrome safe browsing
  1. Next, select the Enhanced Protection level. 
chrome enhanced protection

Enable Enhanced Protection on iOS Devices

Initially, the Enhanced Protection feature wasn’t available on iPhone and iPad. Google has since added it on Chrome for iOS devices so you can get alerts about risky extensions, malware, phishing or sites on Google’s list of potentially unsafe sites.

  1. Open Chrome on your iPhone or iPad and tap More > Settings
chrome settings menu
  1. Tap Sync and Google Services.
sync and google services settings
  1. Next, enable Safe Browsing and then select Done.
chrome safe browsing settings

Protect Your Device from Real Threat Actors

When it comes to web browsers, security and privacy are major concerns. 

Google’s Enhanced Protection and other security features have further fortified Chrome against malware, phishing and other cyberattacks. The feature helps you avoid zero-day exploits and makes it safer for you to browse the web.

If you want to further protect your device, I highly recommend installing Bitdefender  on all your devices, using a password manager and enable 2 factor authentication on all your online accounts, websites wherever posisble.

I also provide an affordable Remote Management & Monitoring solution.
Monitoring your windows OS and installed software for missing patches/updates, with automatic updates.
Plus managed Bitdefender advanced threat protection and endpoint security.

Why fraudsters create fake accounts?

Why fraudsters create fake accounts?

Why fraudsters create fake accounts

Fraudsters are everywhere on the Internet. If you run a website that allows users to create an account in order to access goods or services then you will definitely encounter your fair share of them. For the purpose of this article, we’ll cover 2 types of such fraudsters.

Plus, the amount of online fraud has dramatically increased over the last couple of years due to worldwide pandemic, which according to the latest print on demand eCommerce stats, is due to the online business market growing like crazy.

Credit card fraudsters

This is the type of fraudster that you’ll see frequently if you run an online business. They will create multiple fake accounts with various email addresses, often using free or disposable email providers. For them, it’s a form of anonymization to cover their malicious activities. As far as the online merchant is concerned, they are different people because the email address is different.

After creating multiple fake accounts, the fraudster will then attempt to purchase multiple items at the website using stolen credit cards. With different accounts and varying email addresses, it’s often hard to manually trace the culprit. In the end, the online merchant will suffer severe financial losses from chargebacks by the legitimate card owners.

Spamming fraudsters

Now, these guys are everywhere in forums, blogs, review sites, etc. They are often paid shills that are given the task of promoting some dodgy websites or giving fake reviews to boost the status of a questionable product. They just keep spamming everywhere that they can post their website links as well as any review sites.

Similar to the credit card fraudsters, they hide behind the identities of multiple email accounts. Without an automated screening tool, it would be next to impossible to identify all such accounts. Using mass spamming bots, they can severely compromise the integrity of review sites as well as degrade the usage experience of the normal web users.

How to limit the fake account issue?

In the case of the credit card fraudsters, online merchants can use FraudLabs Pro which offers both  plugins or APIs to screen out fraudulent credit card transactions. The highly sophisticated algorithm in FraudLabs Pro, coupled with blacklists powered by feedback from other merchants, makes it a highly effective screening tool to block the transaction.

Since both types of fraudsters rely on fake accounts to perform their nefarious deeds, the use of the FraudLabs Pro SMS Verification is another tool to prevent the fraudsters from signing up with multiple accounts. By requiring a mobile phone number to receive the One-Time-Passcode (OTP) for verification, it is a lot harder for bad actors to successfully sign up for multiple accounts.

In the case of blocking the scammers and spammer on your website, there are plenty of tools available to fight the spammers, which very much depends what your website is built with. One of the most popular solutions is Cleantalk, which can be installed on any website, and blocks spam silently in the background. No annoying captcha or math problems for users to solve.

For added security against other kinds of threats/issues, I recommend Sucuri, which is a web application firewall/proxy service that sits in front of your website and filters all requests for malicious activity and blocks them before they ever reach your website.

For customers using WordPress, it is also critical to have a security plugin to monitor your WordPress installation and protect against malware. A popular passive solution is Malcare, which will detect an automatically remove malware, which is great for sites which are not being professionally managed. At the very least it is recommended to have the free versions version of Wordfence or Sucuri plugins.


Deploying at least basic security/protection doesn’t need to cost you an arm and a leg, in fact in many cases it is actually FREE. The FraudLabs Pro protection is an easy and fast way to limit the potential damage that fraudsters can do to your website and your reputation. Their Micro plan is completely free, so there is no reason not to give it a try.

FYI I do use all the above services myself for both myself and many of my clients.

As usual, If you need any help with your security or anything mentioned here, feel free to get in touch.

40 Surprising Hacking Statistics

40 Surprising Hacking Statistics

40 Surprising Hacking Statistics 12 cybersecurity

Did you know that most electronic devices and the majority of the Internet-connected devices (IOT) can be hacked?

In this article, we will look at some hacking statistics to illustrate the impact of hackers’ activities in modern society. Naturally, hacks are a great concern for website owners – but the truth is that all Web denizens are susceptible to hacking activity.

In the text below you will find some fantastic stats which will help us to find out:

  • Which is the biggest bank heist that was pulled off by cybercriminals?
  • Which is the most significant data breach of our time?
  • Are ATMs vulnerable to hacker attacks?
  • When did the first hack happen?

Also, we’ll visit the dark web’s markets to see how much it costs to buy a new identity.

Now let’s get started with some hacking stats.

  • There is a hacker attack every 39 seconds
  • Russian hackers are the fastest
  • 300,000 new malwares are created every day
  • Multi-factor authentication and encryption are the biggest hacker obstacles
  • You can become an American citizen for $6,000
  • The cost of data breaches will increase to $2.1 trillion globally in 2019
  • The cybersecurity budget in the US is $14.98 billion

Sounds scary, doesn’t it? Let’s delve in deeper and find more details about each one.

Outrageous Hacking Statistics

hacking stats

Some of the cyber breaches are audacious, others outrageous, yet others simply stunning.

1. There is a hacker attack every 39 seconds.

(Source: Security magazine)

By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.

2. Cybercrime is more profitable than the global illegal drug trade.

(Source: Cybersecurity Ventures)

The profit from the illegal drug industry amounts to around $400 billion annually. For comparison, cybercriminals have earned a total of around $600 billion in 2018.

3. Hackers steal 75 records every second.

(Source: Breach Level Index)

Cybersecurity facts show us the average number of record stolen per second. Breaches are actually a lot rarer than that – it’s just that each breach allows for a lot of records to be stolen.

4. 66% of businesses attacked by hackers weren’t confident they could recover.

(Source: Fortune)

Most businesses don’t really know if they’re prepared for a cyber attack. Actually, 75% of all businesses don’t even have a formal cyber attack response plan.

Cyber attacks statistics reveal that in 2018:

5. 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.

(Source: Thycotic.com)

According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.

6. The cybersecurity budget in the US is $14.98 billion in 2019.

(Source: Statista)

In just two years, the U.S. cybersecurity budget rose by almost 14%. It used to be just $13.15 billion in 2017.

Like everything, there’s a balance in the cyber-world as well. Hacking facts show that:

7. White hat hackers earned over $19 million in bounties in 2018.

(Source: HackerOne)

What’s interesting here is that 81% of them learned their craft mostly through blogs and educational materials online. Only 6% completed a formal class.

8. There are over 715,000 cybersecurity experts employed in the US alone.

(Source: Cyberseek)

There were 313,735 job openings for cybersecurity experts until August 2018. This number will continue to grow as we’ll see a bit later. Cybersecurity statistics assure us this will be one of the best paying jobs in the near future.

Are you learning stuff? Good, those stats are awesome. All these numbers look impressive, don’t they? There are more to come, but let’s pause for a second to see the world through hackers’ eyes.

For example – if you see new technology, the first logical question you may pose is – “What does it do?”

Hackers see it differently, though – their question is “What can I make it do?”

These statistics on hacking may not help us understand how a hacker thinks, but we can make some definitive conclusions about their nature.

First off, let me explain the difference between a black hat hacker, a white hat hacker, and grey hat hacker.

Black hat hackers are hackers with criminal intent.

White hat hackers are hired to test the security of a system. They have permission to do it.

Grey hat hackers don’t have criminal motives, but once they start exploiting a system, they can break some laws.

Now that we have the basics, let’s continue with some…

Stunning Hacker Statistics

40 Surprising Hacking Statistics 13 cybersecurity

The statements below are checked facts, not empty statements.

9. Russian hackers can infiltrate a computer network in 18 minutes.

(Source: Crowdstrike)

Want to reread the above stat? 18 minutes. I drink my morning coffee longer than that.

Russian hackers aren’t wasting any time when they put their mind to it. North Korean hackers need just under two and a half hours. Chinese ones take longer – about 4 hours.

10. Hackers are the average American’s biggest fear.

(Source: Statista)

1% of Americans are wary of hackers stealing their credit card or financial info. Considering how many cyber attacks happen per day in the US, we can understand why that is. US citizens also worry about the possibility of identity theft – 67%.

The possibility of being assaulted or killed by a co-worker where you work – 7%. I sure don’t want to go to their office.

11. You can purchase a consumer account for $1 on the dark market.

(Source: RSA)

You can buy a bus ticket for a dollar. Or you can buy a ticket to an eCommerce site. The choice is yours.

When looking at data breach statistics, we can see that billions of records have been stolen. This created an abundance of credentials for sale, which reflects on their price. Bank accounts still cost more – between $3 and $24 apiece. Most other online accounts cost $1 or less.

12. More than 6,000 online criminal marketplaces sell ransomware products and services.

(Source: McAfee)

A total of 45,000 products are on sale there. If we add all non-ransomware products and services, the number will easily exceed 1 million.

13. 444,259 ransomware attacks took place worldwide in 2018.

(Source: Statista)

Almost 1 in 4 (100,907) occurred within the consumer marketplace.

Hacking statistics for 2019 also show us that:

14. Hackers create 300,000 new pieces of malware daily.

(Source: McAfee)

I guess some people’s fingers never sleep. Let’s hope cybersecurity specialists are up to the task.

And speaking of cybersecurity specialists:

15. There will be 3.5 million cybersecurity jobs openings in 2021.

(Source: Cybersecurityventures)

There are almost 314,000 job openings for cybersecurity specialists in the US alone as of October 2018. Cybersecurity Ventures expects that cybercrime will more than triple the number of job openings over the next five years.

Now let’s have a break from the hacking statistics for a while.

See, hackers are like you and me in a way. They are curious about the world and themselves. Some of them describe hacking as an adrenaline rush. All people have “their thing” – some dance, some climb mountains and so on. Hackers exploit vulnerabilities. Come to think of it – it’s like a puzzle. Put all the right pieces together, and voila.

Now let’s imagine a situation. You are in a hotel. There is a TV in your room. What do you see? “A TV”, most of you would say. What does a hacker see? A gateway to the hotel’s network. It’s similar to any other target.

How and Why Were Companies Hacked in 2018

Businesses are deemed lucrative and often easy prey. So business owners must be ever vigilant, thus choosing a good hosting provider, such as Guru or GetFlywheel is an important step in the right direction.

16. 65% of companies have over 1,000 stale user accounts.

(Source: Varonis)

Stale accounts and outdated permissions are targets for exploitation and malicious use. Hackers desire data, and they can get it by hijacking an account.

While we’re on the topic:

17. 32% of black hat hackers admit privileged accounts are their number one way to hack systems.

(Source: Thycotic)

Seizing such an account could be pretty easy with a simple phishing attack.

18. 75% of all attacked business reported fraudulent emails.

(Source: Cyber Security Breaches Survey 2018)

Fraudulent emails as part of a phishing strategy are still a hacker’s favourite tool to obtain credentials.

Computer hacking statistics also show that:

19. 15% of UK businesses lost control over a network to a hacker.

(Source: Cyber Security Breaches Survey 2018)

Unauthorized use of systems, computers or servers from outside entities rose by 5% in 2018.

20. Companies protect only 3% of their folders.

(Source: Varonis)

And 88% of companies with over 1 million folders have over 100,000 folders open to everyone. Certainly makes a hacker’s job easier.

Lousy protection is one of the main reasons why…

21. 43% of UK businesses have reported breaches or attacks in the last 12 months.

(Source: Cyber Security Breaches Survey 2018)

Cyber attack statistics show 72% of large companies report such events.

22. Up until March 2019, more than 14 billion data records had been lost or stolen.

(Source: Breach Level Index)

The exact number as of March 27, 2019, is 14,717,618,286. Only 4% of these breaches were “Secure Breaches”, meaning the data was encrypted and therefore rendered useless.

So far we’ve looked at the possibilities for hackers to cause damage. Now let’s check out some examples of their handiwork:

How Giants Fall – Data Breach Statistics

The numbers in some of the biggest data breaches are stupefyingly big.

23. Yahoo’s data breach – 3 billion compromised accounts.

(Source: CSO)

It’s quite a story. In 2016 Yahoo admits the truth about the most significant data breach in history. They publicly state that 500 million users’ accounts were compromised in 2014.

Later the company declared there was another breach in 2013 with another 1 billion compromised accounts. Finally, in 2017, Yahoo said the whole truth – the attacks had compromised a total of 3 billion user accounts.

It is still the most significant data breach in history.

One of the recent big hacks happened in 2017, when…

24. 209,000 payment card numbers and expiration dates were stolen from Equifax.

(Source: Reuters)

146.6 million names, dates of birth and 145.5 million US social security numbers were taken as well from the credit monitoring firm.

25. Marriot International – 500 million users’ data stolen.

(Source: CSO)

In 2018 Marriot International discovered attackers, who had remained in the system since 2014. The hackers stole the credit card numbers and expiration dates of more than 100 million customers. The other 400 million lost “only” some part of their private info – names, passport numbers.

And here’s what the hacked companies will have to pay in 2019:

26. The cost of data breaches will increase to $2.1 trillion globally in 2019.

(Source: Juniper Research)

Well, that’s more than Italy’s GDP in 2018. Тhis number has increased almost four times since 2015.

Since we started talking about money, I want to ask you a question – where is the money?

Once upon a time, there were some people with lots of money. They had so much money, they had to build a house for their money. And that’s how banks appeared.

In the next section, we’ll take a look at the banks hacked in 2018. What do criminals do with banks? They rob them. Cybercriminals do the pretty much the same thing, in a more subtle way.

27. Hackers siphoned off $13.4 million from Cosmos Bank in India.

(Source: Hindustan Times)

In 2018 Cybercriminals hacked the bank’s servers on August 11 and 13. The culprits stole the card details of around 12,000 Visa cards.

Long story short – the hackers made it rain 15,000 transactions later.

The next one is really exciting. It makes Jesse James look like a harmless kid on the path of righteousness (his dad was a preacher).

One of the most interesting hacking facts online is that:

28. The Carbanak gang of hackers has stolen over $1 billion in total.

(Source: Kaspersky, Securelist)

We can’t classify this as the biggest bank robbery in history, but it sure is interesting. They targeted around 100 banks around the world, and it took 2-4 months to siphon the money out from each one. The losses per bank were up to $10 million each. The cybercriminals started to test the Carbanak malware in 2013, and it’s still on the loose.

The good news is in 2018 the authorities caught the mastermind in Spain.

These next few cyber hacking statistics visualize how much cybercrime can cost us.

29. Cybercrime cost the world almost $600 billion in 2018.

(Source: McAfee)

This number amounts to 0.8% of the global GDP.

To acquire such amounts of money, black hat hackers need specific tools. You can’t find most of them just anywhere. Where do they get them? Let’s find out.

cyber criminals hacking your website

Dark Market Stats

The dark web’s customers may find almost everything there. Thankfully the light side has some tricks prepared to change the cyber attacks statistics in 2019

30. 68% of black hat hackers say multi-factor authentication and encryption are the biggest hacker obstacles.

(Source: Thycotic)

Use 2FA whenever possible. Just a tip.

The dark web can’t help you much with 2FA, but there’s a lot of stuff you can buy if you have some Bitcoins ready.

31. For as low as $1.25 you can get a Netflix account.

(Source: Wondershare, dr.fone)

Netflix streaming is one of the standard hacking services and widely available. For a small fee, you’ll receive the email and password of someone’s Netflix account. Just imagine how many people’s credentials have been hacked or stolen for the price to get this low.

32. You can purchase the WinPot malware for 1 bitcoin.

(Source: Securelist)

Don’t know what WinPot does? Nothing much ? It only makes the ATMs by a popular ATM vendor dispense all the cash from their cassettes.

By the way, did you know that

33. 92% of ATMs are vulnerable to hacker attacks.

(Source: PTSecurity)

There are several ways to hack an ATM, but consider this – if your card data is stolen, then 100% of ATMs would be vulnerable to this kind of attack.

When talking about the dark web and hackers, a question arises – How many hackers are there?

No one knows.

But we can make an educated guess based on the following stat:

34. The Tor network had more than 2.2 million users in 2017.

(Source: Europol)

The dark web hosted almost 60,000 unique onion domains, and around 57% of them hosted illegal content.

And one more interesting fact for the dark market, before we move on:

35. You can become an American citizen for $6,000.

(Source: Blackhat)

You can also buy a fake passport + driving license + ID card from different countries if you can spare 700-900 euro. (approx. $787-$1010 at the exchange rate at the time of writing)

Let’s move on from the hacking statistics of 2018.

Hacking isn’t all about criminal masterminds and cybersecurity. Sometimes it’s fun, and I have a list for you.

Curious Hacks

Not all cyber attacks are malicious or vicious. Hackers have a wicked sense of humour.

36. Operation Cupcake

(Source: Washington Post)

In 2011 MI6 took down the instructions for bomb-making from an online al-Qaeda magazine and replaced them with recipes for cake. I guess the Taliban didn’t fall for it since there were no exploding muffins in the last eight years.

37. #Lil’ Trump

(Source: Eonline)

This is one of the hacking facts I’ll cherish in my memory. In 2013 Donald Trump’s Twitter account was hacked, and the hacker posted some Lil’ Wayne lyrics.

38. Thunderstruck

(Source: Daily Mail)

In 2012, Iran’s nuclear facilities were under cyberattack. The hackers forced workers at two of the nuclear facilities to listen to AC/DC’s Thunderstruck repeatedly at full volume. Even if you’re a fan, it can still annoy you at some point.

39. Friendless Samy

(Source: YouTube)

In 2005 Samy Kamkar took down MySpace. For our younger readers, MySpace was a social network like Facebook, only cooler. If someone shuts down Facebook now, it would be one of the biggest hacks of 2019. However, Samy didn’t want to shut down MySpace. All he wanted was…some friends. To achieve his dream he wrote a worm, exploiting a vulnerability in MySpace. Infected profiles became “friends” to Samy’s page. And then their friends as well and so on. It took Samy a day to get a million friends on his page. MySpace couldn’t take it.

40. The first hack

(Source: TheAtlantic)

In 1903 Guglielmo Marconi (the father of modern radio) was ready to transmit a message via the first wireless broadcasting technology. It used the same system as the telegraph. When he was prepared to send the message, the apparatus began to tap out a message in Morse code. The word was “RATS”, repeated over and over again. The first of the many hacking cases to come in history happened because the radio’s channel wasn’t as private as Marconi thought. More than a century later we still have the same problem.


Well, that’s all folks. I hope you found this article helpful and interesting. We learned some cool facts together and we saw the world of hackers is not just about money. Curiosity and ethics play a large role as well.

Stay safe in 2019.


  1. Security Magazine
  2. Cybersecurity Ventures
  3. Breach Level Index
  4. Fortune
  5. Thycotic
  6. Statista
  7. HackerOne
  8. Cyberseek
  9. Crowdstrike
  10. Statista
  11. RSA
  12. McAfee
  13. Statista
  14. McAfee
  15. Cybersecurty Ventures
  16. Varonis
  17. Thycotic
  18. Cyber Security Breaches Survey 2018
  19. Cyber Security Breaches Survey 2018
  20. Varonis
  21. Cyber Security Breaches Survey 2018
  22. Breach Level Index
  23. CSO
  24. Reuters
  25. CSO
  26. Juniper Research
  27. Hindustan Times
  28. KasperskySecurelist
  29. McAfee
  30. Thycotic
  31. Wondershare, dr.fone
  32. Securelist
  33. PTSecurity
  34. Europol
  35. Blackhat
  36. Washington Post
  37. Eonline
  38. Daily Mail
  39. YouTube
  40. TheAtlantic