In the security breach, threat actors performed credential-stuffing attacks to gain unauthorized access to customer accounts. A credential stuffing attack is performed by trying compromised credentials until the targeted system is logged in.
Following the detection of the security breach, Air New Zealand officials stated that the breach did not affect any of the company’s systems, but only individual customer accounts were affected. Upon the relevant explanation, customer accounts were blocked, and customers were contacted to change their login information before using the Airpoints system again.
Logging in to more than one platform with the same login information and not enabling MFA/2FA authentication mechanisms on the platforms cause such attacks to be seen frequently. In this context, it is recommended to consider the following security recommendations not to be the target of similar attacks.
- The same username and password should not be used in more than one online session,
- The login information should be created by applying unique and strong password policies.
- Air NZ customers should be aware of the data that could be leaked to the internet in this breach and used in various phishing/social engineering attacks.