Realizing that your account has been hacked is anything but pleasant. Cyberattackers gaining unauthorized access to your network exposes your personal information, and once this happens, they can do whatever they want with it.

Are you unsure how they hacked your account, especially when you were careful with your log-in credentials? They probably figured it out with brute force. But you're not alone—some high-profile organizations have also suffered the same fate before.

In this article, we'll highlight five brute force attacks that led to huge security breaches.

What Is a Brute Force Attack?

Photo of a padlock on a keyboard

A brute force attack is the process of trying every key on a computer keyboard to find the correct password or login credentials. It's more or less a guessing game.

The concept of a brute force attack creates a picture of a cyberattacker sitting on their computer, guessing the password to a system or an account. However, that’s at a basic level.

Cyberattackers have become more sophisticated in their skills over the years. Rather than doing the guesswork themselves, they sometimes use advanced technology that allows the computer to guess the password by combining all possible words.

Is a Brute Force Attack Illegal?

What determines whether the attack is illegal or not is authorized or unauthorized access. If you use brute force to gain access to someone’s network without their permission, it's illegal.

There are a few cases where a brute force attack can be legal, and that’s mostly during a penetration test. For instance, an organization could hire an offensive security expert to test the strength of its network security by hacking it. In this case, there are clear instructions on what the hacker should do.

Network security providers also use a penetration test to ascertain the network security of their clients. Such clients are fully aware of the penetration test and consent to it.

The Goals of a Brute Force Attack

Photo of a computer monitor

There are several brute force methods used by attackers for their malicious activities. The method deployed to an attack depends on the expertise of the attacker, their goal, and the security level of the network.

The types of brute force attacks include simple brute force attacks, dictionary attacks, hybrid force attacks, reverse brute force attacks, and credential stuffing.

When carrying out a brute force attack, hackers aim to cause a disruption. Below are five of the main reasons criminals use this tactic.

1. Personal Information Theft

Perpetrators of brute force attacks could hack your network to steal your personal information such as credit card details, account passwords, personal identification numbers (PINs), and other credentials that you use for online activities.

2. Reputation Damage

Brute force attacks can be used for revenge purposes. An aggrieved person could hire the services of cyberattackers to hack your network with brute force, and use your sensitive data to tarnish your reputation.

3. Selling Credentials to Third Parties

Having gained access to your credentials, a hacker could sell them to third parties who are willing to pay a lot of money for them. The market value of your credentials is determined by their value.

4. Ransom

Cyberattackers could use brute force attacks to hijack your system and make demands from you to pay a ransom before they will let you back into your network.

Real-Life Examples of Brute Force Attacks

Photo of a person on a computer in a dark room

Over the years, there have been several brute force attacks against organizations. Users on these platforms lost personal information, and—in some cases—funds. In some cases, the organizations also suffered a lawsuit for their failure to prevent the attacks.

Let's take a look at five real-life brute force attacks, and what their consequences were.

1. Dunkin’ Donuts (2015)

Coffee franchise Dunkin’ Donuts suffered a brute force attack that led to its users losing huge sums via the company’s mobile app and website. Cyberattackers used brute force to gain unauthorized access into the accounts of 19,715 users within five days, stealing their money.

The company was later slammed with a lawsuit for not informing its users about the compromise so they could take necessary measures to protect their accounts.

Although Dunkin' Donuts initially denied playing a part in the attack, it later agreed to pay the sum of $650,000 in settlement of the lawsuit.

2. Alibaba (2016)

The popular eCommerce platform Alibaba was a victim of a brute force attack that compromised the accounts of around 21 million users in 2016. During the attack, which took place between October and November that year, the attackers gained unauthorized access to the usernames and passwords of 99 million users.

Leveraging the database at their disposal, they compromised 20.6 million user accounts.

Experts revealed that the primary cause of the attack was the overlapping of passwords by users. It was discovered that the majority of the users were using the same password for the platform for their other accounts. Another cause of the attack was weak passwords. Some of the users had weak passwords that were easy to figure out.

3. Magento (2018)

Magento is another popular eCommerce platform, and—like Alibaba—suffered a brute force attack that compromised its admin panels in 2018.

According to the researchers who discovered the attack, no fewer than 1,000 account credentials were found on the dark web. The attackers’ goal was to scrape the credit card numbers of account holders and infect their devices with malware for cryptocurrency mining.

Experts believed that the affected accounts were more than 1,000 reported. Found on the Magento open source, the company disclosed that the attackers leveraged the weak passwords of its users to initiate the brute force attack, and advised its users to create stronger passwords to avoid a recurrence.

4. Northern Irish Parliament (2018)

The Northern Irish Parliament was the target of a brute force attack that compromised the accounts of some of its members in 2018.

Investigations into the attack revealed that it was initiated by external sources. The attackers accessed the mailboxes of assembly members by trying several passwords.

The affected accounts were deleted, and parliament members were advised to change their passwords to stronger ones. Instead of using single words, they were advised to use passphrases.

5. Canadian Revenue Agency (2020)

The Canadian Revenue Agency (CRA) was a victim of a brute force attack that compromised around 11,000 accounts belonging to the CRA and other government-related services in August 2020.

Perpetrators of the attack targeted the Canada Revenue Agency (CRA) and Government of Canada Key service (GCKey), agencies that enable Canadians to access various government programs and services in the country.

Experts revealed that the attackers used previously stolen login credentials, such as usernames and passwords, to hack the affected. The attack reiterated that it’s not advisable to use the same password on multiple websites or accounts. You can prevent brute force attacks by creating strong passwords for yourself.

Practicing Healthy Cybersecurity Culture

Cyberattacks are forceful by nature, since they are unauthorized. Brute force attacks only amplify the process with the use of various techniques. A great way to shut hackers out in any form of attack is to implement smart cybersecurity practices. Taking one more precaution on your accounts and systems adds one more layer of security that hackers have to bypass, which could be the difference between your personal information being compromised or not.