2024 July Cyber Bytes

What are compromised credential attacks?

Compromised credentials can have nasty consequences. This post looks at how these attacks work and what can be done to prevent them.

Marc Dahan, Comparatech.com, October 20, 2023

Compromised credential attacks are a kind of cyber-attack in which malicious actors use lists of compromised credentials to attempt to log into a wide range of online accounts. The goal of the attack, like so many others, is to steal personal/financial information from the compromised account or to take it over altogether. Because authentication is typically achieved via APIs, this kind of attack is a significant threat to API security.

Compromised credential attacks rely on the fact that many people use the same password across multiple accounts. When an organization is hit with a large-scale credential stuffing attack, there isn’t much it can do beyond disabling accounts and requiring users to change their logon credentials.

This post looks at how compromised credential attacks work and what can be done to avoid them.

How do compromised credential attacks work?
In many ways, compromised credential attacks are similar to brute-force attacks, but they differ in a few key ways. In a brute-force attack, the attacker uses an application to automate the cracking of the password by trying many thousands of possible passwords per minute.

Credential stuffers, on the other hand, already have a list of previously cracked and de-hashed passwords that were compromised through various means, such as data breaches, phishing, malware or keyloggers, etc.

In a compromised credentials attack, the attackers won’t manually attempt to log into all the accounts on their lists. Instead, they use an automation tool referred to as  brute-force checkers — small applications that automate logging into the accounts, typically from varying IP addresses, to provide some obfuscation to the attackers.

These checkers can use leaked usernames and passwords to attempt logins on many different sites, apps, and services. Because many people use the same password across multiple accounts, attackers can break into any accounts that share a password. These tools can also automatically steal the user’s personal/financial information, adding value to the compromised credentials.

Risks of compromised credentials attacks
The risks associated with compromised credentials attacks are the same as those associated with someone obtaining your credentials for a given account. An ill-intentioned person armed with your valid credentials could:

• Lock you out of your account
• Steal your personal/financial information
• Deface your account/page
• Modify your information
• Make purchases in your name
• Shut down your account
• Sell your credentials on the dark web
• Send messages in your name (if it’s an email or messaging account)
   

And more…
You can add anything related to an online account takeover to the above list.

Common attack flow scenario
In a typical compromised credential attack, the attackers could proceed as follows:

1. The attackers would start by performing reconnaissance of their target and its API to study it, understand how it works, and identify any flaws they may exploit.
2. They would also get their hands on lists and databases of previously compromised passwords — many of which may still be valid.
3. The attackers then configure their automation tool, which will be throttled, to feed the compromised credentials in a way that mimics regular human or business activity. 
4. Once the automation tool is properly configured, they launch an attack against the login API, usually from various locations, to avoid detection.
5. The attackers then track their login successes and failures.
    

Examples of compromised credential attacks
Compromised credential attacks are relatively easy to pull off insofar as one doesn’t need extensive programming skills to mount one. Because of that, compromised credential attacks are pretty common.

23andMe
In late 2023, the genetic testing firm 23andMe confirmed that data relating to millions of its customers had been stolen as a result of a credential stuffing attack. The stolen data included names, profile photos, gender, date of birth, genetic ancestry results, and geographical location.

A 23andMe spokesperson suggested that users’ login credentials “may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

PayPal
In December 2022, thousands of PayPal accounts were compromised in a compromised credential attack. Breaches of other, unrelated, sites gave attackers access logon credentials that they subsequently used to access almost 35,000 PayPal accounts.

Nevertheless, PayPal said that it had no information suggesting that the customers data was “misused as a result of this incident.” Users targeted by the attacks were offered a free two-year subscription to Equifax’s identity monitoring service.

Note that PayPal users can easily prevent compromised credential attacks by activating two-factor authentication (2FA) in the “Account Settings” menu.

Nintendo
In 2020, Nintendo fell victim to a compromised credential attack that compromised over 160,000 user accounts. In this case, the checker tool was able to extract billing and account information, including their credit card type (Visa, MasterCard, etc.), their credit card expiration date, as well as the first six digits and the last four digits of their credit cards.

This attack resulted in thousands of Nintendo customers having their accounts taken over, and many also incurred some financial losses.

Zoom
Also in 2020, Zoom was hit with a compromised credential attack that compromised 500,000 Zoom user accounts. In this case, the attackers scraped or purchased lists of compromised credentials from previous breaches dating back to 2013.

Suspecting that many, if not most, reuse the same passwords on many online accounts, the attackers’ checker was able to confirm that at least 500,000 Zoom users were in this unenviable position.

Marriott International
In 2020 yet again, Marriott International suffered a massive data breach as a result of a compromised credentials attack. This breach compromised the accounts of 5.2 million Marriott customers, exposing their contact information, gender, date of birth, and loyalty account information.

The attacker used the login credentials of two Marriott employees, presumably obtained through a mix of phishing and credential stuffing, to collect Marriott customers’ information for an entire month before raising suspicion.

Uber
In October 2016, ride-sharing service Uber suffered an even bigger data breach that exposed the personal information of 57 million Uber users and drivers. It took Uber over a year to disclose the breach. It even went as far as paying the hackers responsible for the breach a cool 100K to delete the data and keep the breach quiet.

Wow — that’s not exactly the definition of “responsible”… The breach exposed the names, email addresses, and phone numbers of Uber customers and drivers and the license plate numbers of roughly 600,000 drivers.

How to defend against compromised credential attacks
The way to defend against compromised credential attacks will depend on whether you’re an organization or an internet user. We will, of course, cover both.

For organizations

1. Force the use of multi-factor authentication (MFA)

A large part of the success of compromised credential attacks relies on human error, reusing the same passwords on multiple accounts, creating weak passwords to begin with, or both. Multi-factor authentication is one of the best ways to mitigate human error.

MFA or 2FA (multi-factor vs. two-factor) requires something you know (your credentials) and something you have (a device providing a one-time password (OTP)) for you to be authenticated and allowed to log in. Because the OTP will be different with every log in, MFA or 2FA can thwart a compromised credential attack.

It will be up to each organization’s IT Security teams to determine if this practice should be applied across the organization or only in certain circumstances deemed of higher risk. That could be logins from specific locations or unknown IP addresses. Your IT Security teams can configure access control lists (ACL) and blocklists to enforce those controls.

2. Disallow previously compromised passwords

It’s possible to integrate lists of compromised passwords into your authentication systems such that if one of your users ever sets up a known compromised password, the password is rejected and they get prompted to choose another. Such lists, as well as information on integrating the list into your authentication systems, can be found on haveibeenpwned.com.

3. Implement CAPTCHAs for logins

You can require users to solve a CAPTCHA in order to be authenticated and allowed to log in. CAPTCHAs can help to prevent compromised credential attacks by slowing them down significantly.

However, CAPTCHAs are not a robust security measure, as they can be bypassed fairly easily if a seasoned attacker has the right tools. CAPTCHAs are only really helpful as a part of a larger security strategy. Also, remember that CAPTCHAs will also significantly slow down your workforce. So it might make more sense to only implement CAPTCHAs in more suspicious circumstances as with MFA above.

4. Configure and use an AI-based Intrusion Detection System (IDS)

Traditional IT defenses typically have a hard time detecting suspicious behavior. That’s because of their binary nature. They refer to the account’s permissions or an Access Control List (ACL) and choose between “one” and “zero,” which translates into “grant access” or “deny access.”

But we do have systems available today that can scan for and identify out-of-the-ordinary events. Those systems use AI-powered tech, which has made gargantuan strides in recent years to achieve that.

With an AI-based IDS, you can “teach” it via machine learning to identify “normal” behavior patterns over your network and use that as a baseline for detecting outlier events. That is typically referred to as behavioral analytics. And with a bit of training, your AI-powered IDS will be able to detect suspicious behavior and may well save you from a compromised credential attack.

5. Use IP address blocklists

There tend to be two ways that organizations use IP address blocklists. And you should probably combine them. The first is by downloading or purchasing malicious IP address lists and using those lists as your block list. These lists are composed of known malicious IP addresses, so there’s really no reason to allow those IPs over your network.

The second way blocklists are used is more dynamic and is based on detecting a certain number of failed login attempts. If a user attempts and fails to log in, say three times, their IP address is added to the block list, and so is their access. This second type of blocking tends to be temporary to avoid permanently locking out legitimate users. You can implement both of these blocklist strategies simultaneously – which is recommended.

6. Device or browser fingerprinting

This is a bit of an odd one because device or browser fingerprinting is usually discussed from an online privacy perspective. Advertisers fingerprint your device to track your internet activities without cookies (as many people block third and first-party cookies these days). However, device fingerprinting can also help defend against compromised credential attacks.

Device fingerprinting combines certain device attributes, such as the operating system it is running, the web browser user agent, the device’s language settings, the available fonts on the device, and the IP address, among other attributes. This is done to uniquely identify the device or, if you will, to create a fingerprint of that device.

The device fingerprint can then be compared to any browser trying to log into the account in question. If they don’t match, the user can be prompted for additional information to authenticate them. Prompting your users for additional information makes more sense than outright blocking devices when they don’t match the fingerprint. That’s because your users are likely to use multiple devices or browsers, so immediately blocking a device that doesn’t match the fingerprint may not be the most practical approach.

For users
These really are common-sense tips that you should always follow as they can help you avoid various online threats. Nonetheless, the first four points relate directly to compromised credential attacks. And the following two points are directly related to mitigating phishing attacks, which can lead to credential-based attacks.

1. Use strong and complex passwords – It might seem ludicrous, but vast numbers of people still use passwords such as “123456” and “password” as their passwords. The more complex your passwords are, the less likely you are to fall victim to credential-based attacks. That will always be your first line of defense in a credential-based attack. Use our password generator to quickly produce a secure password.
   Never reuse the same password for multiple accounts – That’s like having multiple houses with the same lock on them. One key could unlock all of your homes. You probably wouldn’t do that with houses – so don’t do it with your online accounts. The same logic applies. Do not reuse the same password for multiple accounts.
2. Set up Two-factor authentication (2FA) on all accounts that support it – 2FA is a great way to make it more difficult for malicious actors to abuse your credentials. There’s a good chance that the credential stuffing attackers’ automation tool (to automatically log in to compromised accounts) won’t be able to get around it. For other online attacks, having 2FA enabled may well discourage an attacker from pursuing their attack once they see they have to deal with 2FA.
3. Use a password manager – Think that setting up complex passwords for all your accounts will make things unmanageable for you and be too difficult to remember? It might if you’re not using a password manager. A password manager is a small app that contains a database of all your passwords, so you don’t need to remember them. You simply need to remember the master password to unlock your database. Once unlocked, you have access to all of your complex passwords. Some password managers also contain password generators that will automatically generate complex passwords for you. Many password managers also have autofill capabilities, so you don’t need to copy and paste them manually. That’s particularly useful on mobile devices. One small caveat, I wouldn’t recommend online password managers; the server that hosts your passwords could always be hacked. Go for a good offline password manager. There are plenty of them.
4. Don’t open attachments in emails unless you’re sure you know who the sender is and you’ve confirmed with that person that they really did send you that email. You should also make sure they’re aware the email contains an attachment and know what the attachment is.
5. Don’t click links (URLs) in emails unless you’re able to confirm who sent you the link and what its destination is. It might also be good to contact the sender through another channel (not email) to make sure the sender is not being impersonated. Once you’ve done that, you should scrutinize the link. Is it an HTTP or an HTTPS link? The overwhelming majority of legitimate websites use HTTPS today. Also, check the link for incorrect spelling (faceboook instead of facebook or goggle instead of google)? If you can get to the destination without using the link, do that instead.
6. Use a firewall – Built-in incoming firewalls are found on all major operating systems. And all commercial routers on the market provide a built-in NAT firewall. Enable both. You’ll thank me if you click a malicious link.
7. Use an antivirus program – Only purchase genuine and well-reviewed antivirus software from legitimate vendors. Keep your antivirus updated and set it up to run frequent scans.
8. Keep your operating system updated – You want the latest OS updates. They contain the latest security patches that will fix any known vulnerabilities. Make sure you install them as soon as they’re available.
9. Never click on pop-ups. Ever. Pop-ups are just bad news – you never know where they take you.
   Don’t give in to “warning fatigue” if your browser displays yet another warning about a website. Web browsers are becoming more secure with every passing day, which tends to raise the number of security prompts they display. Still, you should take those warnings seriously. So if your browser displays a security prompt about a URL you’re attempting to visit, pay attention to your browser’s warning and get your information elsewhere. That’s especially true if you clicked a link you received by email or SMS – it could be sending you to a malicious site. Do not disregard your computer’s warning prompts.

Wrap-up
Compromised credential attacks will continue to thrive in the computer world as long as businesses need to rely on passwords and other weak authentication methods. In defending against credential stuffing attacks, the goal is to make the process of obtaining credentials as difficult as possible and to slow it down as much as possible.

Weak passwords and password reuse are the biggest culprits here, and that causes serious security issues across organizations. A weak or reused password will eventually be compromised — it’s only a matter of time as there’s no shortage of attackers. Hopefully, you and your organization can steer clear of credential stuffing attacks by applying the practices listed above.

Cybercriminals taking advantage of CrowdStrike-linked global computer outage

CISA: Threat actors launch malicious malware phishing attacks

Kurt Knutsson, cyberguy.com, July 23, 2024

The global IT outage triggered by a faulty CrowdStrike software update has created a perfect storm for cybercriminals to exploit. In the wake of this unprecedented disruption affecting Windows computers worldwide, threat actors are now launching phishing campaigns and distributing malware-laden links.

These malicious actors are preying on individuals and organizations desperate for information and solutions, tricking them into clicking on contaminated links under the guise of offering updates or fixes for CrowdStrike-related issues.

Massive outage touches every aspect of life
As airlines, banks, grocery stores, 911 emergency communications, medical centers, and virtually every organization running Windows computers with CrowdStrike Falcon attempt to recover from what could be the most destructive tech tsunami, criminals are being observed attempting to offer fake help with a payload of trouble.

Homeland Security issues alert about threat actors in the wake of CrowdStrike Windows outage
The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, known as CISA, is tracking this online criminal activity, which now poses a secondary threat to Americans.  Here is the CISA statement:

CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.

The massive outages started at 1:20 AM ET on Friday when CrowdStrike began rolling out a faulty update to its Falcon security product that protects Windows hosts. Screens around the world turned blue, freezing on a crippling message known as the Blue Screen of Death.

How to protect against threat actors pretending to be CrowdStrike or Microsoft

• Avoid clicking links in any text or email related to the CrowdStrike or Windows disruption.
• Be ready to ride out digital storms like this one by getting your own lifejacket in the form of strong anti-virus protection. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.  Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android & iOS devices.
• Only use official sources for resolving security incidents like this one.

CrowdStrike’s CEO George Kurtz addressed the global glitch it caused, and an updated statement puts it in perspective:

We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption. We are working with all impacted customers to ensure that systems are back up and they can deliver the services their customers are counting on.

How to recover from the Blue Screen of Death outage
CrowdStrike is actively working through its official channels to roll out a previous version of its Falcon software, but not before the disruptive damage was done worldwide.  If you have a Windows PC or laptop experiencing trouble, there are alternative workarounds to help you fix it. The company offers the following additional steps that can be taken if your Windows computer is still having trouble,

Workaround steps for individual hosts:

1. Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
2. Boot Windows into Safe Mode or the Windows Recovery Environment
   Note: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
3. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
4. Locate the file matching “C-00000291*.sys”, and delete it.
5. Boot the host normally. 

Note: Bitlocker-encrypted hosts may require a recovery key.

Kurt’s key takeaways
Cybercriminals are quick to take advantage of tech troubles like this massive Windows disruption caused by CrowdStrike. The lesson is to take privacy and security into your own hands by being as resilient as possible to attacks. I recommend running good antivirus protection on every device in you and your family’s lives. 

Don't Forget to Lock Your Devices and Secure Your Paperwork!

Jeff Stetz, CBIZ PPS, July 25, 2024

This Month’s Advice: Protect Your Data and Devices

While many of us have taken action to prevent cyberattacks via “back doors” in our applications by applying patches, updates, and security programs, cybercriminals hope you left your devices' “front doors” wide open. Read on to discover essential tips that can be done in seconds and go a long way.

Lock It Up: We use our devices in many settings, including locations that may be accessible to people with whom we are unfamiliar. While many of us may have access to our devices most of the time, it is not uncommon for us to step away, even briefly. Remember to lock your devices in these instances, no matter how short. Computers can be locked in a way that only someone with the proper password will be able to access them. In addition, many mobile devices can easily be locked in a way requiring an individual to use biometric data. If a password option can be used as a secondary system, ensure that the secondary system is as advanced as possible, like with a hardware token or a complex password.

Clean Up the Mess: How many of us have a messy desk or leave things out for easy access? While the chances of having an actual cybercriminal infiltrate our physical space are limited, having another individual gain access is not impossible. Remember to lock up private files and important documents before leaving your workspace, as you never know when an unexpected incident will prevent you from accessing them. In addition, while it is tempting to leave a complicated password easily accessible, it is one of the worst things to do security-wise, especially if that password links to some critical secure data, even on another system. Never write passwords down unless you keep those locked up too.

Prepare for the Worst-Case Scenario: Unfortunately, bad things happen. There are instances when we either lose our device or it gets stolen. Depending on the device that goes missing, it can contain a lot of personal information that could be devastating if it falls into the wrong hands. Many devices, especially mobile devices, have options that will cause it to automatically wipe if the incorrect password is entered too many times. Don’t be afraid to use this feature. Although it can be distressing if we forget the original password, by properly backing up our devices to the cloud, restoring their image to a new device with the original data is usually straightforward.

By doing the right thing—securing your devices, locking up your paperwork, and taking the necessary precautions—you can prevent criminals from doing the wrong thing. Be careful out there! 

Hijacked: How hacked YouTube channels spread scams and malware

Here’s how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform

Christian Ali Bravo, welivesecurity.com, July 1, 2024

As one of today’s most popular social media platforms, YouTube is often in the crosshairs of cybercriminals who exploit it to peddle scams and distribute malware. The lures run the gamut, but often involve videos posing as tutorials about popular software or ads for crypto giveaways. In other scenarios, fraudsters embed links to malicious websites in video descriptions or comments, disguising them as genuine resources related to the video’s content.

Thefts of popular YouTube channels up the game further. By extending the reach of the fraudulent campaigns to untold numbers of regular YouTube users, they give the attackers the most bang for their buck. Cybercriminals have long been known to repurpose these channels to spread crypto and other scams and a variety of info-stealing malware, often through links to pirated and malware-laden software, movies and game cheats.

Meanwhile, YouTubers who have had their accounts stolen are in for a highly distressing experience, with the consequences ranging from loss of income to lasting reputational damage.

How can cybercriminals take over YouTube channels?
More often than not, it all starts with good ol’ phishing. Attackers create fake websites and send emails that look like they are from YouTube or Google and attempt to trick the targets into surrendering their “keys to the kingdom”. In many cases, they also tout sponsorship or collaboration deals as the lure – the message includes an attachment or a link to a file where the terms and conditions are said to be detailed.

Nothing could be further from the truth, however, with the threat becoming even more acute where the accounts were not protected by two-factor authentication (2FA) or where attackers circumvented this extra safeguard. (Since late 2021, content creators need to use 2FA on the Google account associated with their YouTube channel).

In some cases (cue the breach of Linus Tech Tips, a channel with 15 million subscribers at the time), attackers needed neither passwords nor 2FA codes to hijack the channels. Instead, they stole session cookies from the victims’ browsers that ultimately enabled them to bypass the additional security checks involved in the authentication process.

In another tried-and-tested technique, attackers leverage lists of usernames and passwords from past data breaches to break into existing accounts, relying on the fact that many people reuse passwords across different sites. In brute-force attempts, meanwhile, attackers use automated tools to try numerous password combinations until they find the correct one. This method yields fruits especially if people use weak or common passwords and skimp on 2FA.

Just weeks ago, the AhnLab Security Intelligence Center (ASEC) wrote about a growing number of cases where cybercriminals hijack popular YouTube channels, including one with 800,000 subscribers, and exploit them to distribute malware such as RedLine Stealer, Vidar and Lumma Stealer.

As described in the ESET Threat Report H2 2023, Lumma Stealer made a splash particularly in the second half of last year. This infostealer-for-hire is known for targeting crypto wallets, login credentials and 2FA browser extensions, as well as for exfiltrating information from compromised machines. As the ESET Threat Report H1 2024 shows, both tools remain a major menace and often pose as cheating software or video game cracks, including via YouTube.

In some scenarios, criminals hijack existing Google accounts and in the span of minutes create and post thousands of videos that distribute info-stealing malware. People who fall victim to the attacks may end up having their devices compromised with malware that also steals their accounts on other major platforms such as Instagram, Facebook, X, Twitch and Steam.

Staying out of harm’s way on YouTube
These tips will go a long way towards keeping you safe on the platform, including if you’re a YouTuber yourself.

• Use strong and unique login credentials
  Create strong passwords or passphrases and avoid reusing them across multiple sites. Explore passkeys as another form of authentication offered by Google.
• Use a strong form of 2FA
  For an added layer of security, use 2FA not just on your Google account, but on all your other accounts. Wherever possible, choose 2FA involving authentication apps or hardware security keys instead of SMS-based methods.
• Be cautious with emails and links
  Be skeptical of emails or messages claiming to be from YouTube or Google, doubly when they ask for your personal information or account credentials. Check the sender’s email address and look for signs of phishing. Just as importantly, avoid clicking on suspicious links or downloading attachments from unknown sources. The same goes for apps or other software that is promoted on YouTube unless they come from trusted and verified sources.
• Keep your operating system and other software updated
  Ensure your operating system, browser, and other software are up to date to protect against known vulnerabilities.
• Keep tabs on your account activity
  Regularly check your account activity for any suspicious actions or login attempts. If you suspect your channel has fallen prey to an attack, refer to this guidance from Google.
• Educate yourself
  Stay informed about the latest cyberthreats and scams targeting you online, including on YouTube. Knowing what to look out for can help you avoid falling victim to these threats.
• Report and block suspicious content
  Report any suspicious or harmful content, comments, links, or users to YouTube. Blocking such users can prevent them from contacting you further.
• Secure your devices
  Use multi-layered security software across your devices to protect against a variety of threats.

Is someone spying on you through your hacked webcam? 7 red flags

Here's how to catch the hackers red-handed

Kurt Knutsson, cyberguy.com, April 25, 2024

You use your computer daily, although I bet you rarely, if ever, consider that someone could be spying on you through your built-in camera on a laptop or a standalone camera that connects via USB.  Worse thing is that you wouldn’t even know it.

Your webcam can seriously threaten your privacy, and you want to always ensure that no one is spying on you.

Even Mark Zuckerberg has been known to cover his laptop camera.  If the CEO of big tech social media Facebook knows the risks, you should too.

What’s at stake if someone hacks into my laptop camera
If someone hacks into your webcam, it could not only potentially compromise your security.

It’s an invasion of privacy, and someone could watch you without your knowledge or consent.

This could include seeing you in your personal space or even capturing sensitive information like passwords, bank account information, or private conversations.

If someone were to record compromising footage of you, they could use it to blackmail or extort you for money or other demands which if often a criminal hacker’s intent.

With hackers accessing your webcam, they are likely to swipe additional personal information on your computer, which could be used for identity theft.

Furthermore, hacking into your webcam could be a way for hackers to install malware or viruses on your computer, which could cause further damage to your system or steal additional data. On an emotional level, it can leave you feeling shaken and abused.

How to know if someone has hacked your webcam
Whether you use the built-in camera that comes with most laptops or an external webcam, these are some key signs that your camera has been hacked.

• Check the webcam indicator light
  Your laptop will have a light turn on when the camera is in use, whether it is red, green, or blue. If you see the light turned on or blinking and you know you did not do anything to make that happen, then someone has hacked into your webcam. Be aware that your camera could turn on when launching a specific app like Zoom.
• Check your storage files
  If you see audio or video storage files suddenly appear on your computer that you did not create, that is a major warning sign that someone has hacked your webcam. Make sure you also check your webcam settings and know where your video and audio files are being saved on your computer, as a hacker can easily change that.
• Beware of unknown applications
  If you see any applications on your computer that you don’t recognize, your computer may have been infected with malware, and those applications could be using your webcam without your consent. Try running your webcam if this happens, and if it says your webcam is already in use, then you have likely been hacked.
• Scan your computer for malware
  We always recommend using our #1 pick TotalAV as the antivirus software to use when scanning your computer for malware. It will be able to detect any suspicious activity happening on your laptop and want your immediately.   More about our review of Best Antivirus picks here.
• Look out for any suspicious movement
  If you’re using an external webcam, they are becoming much more advanced, and some can even move around to better capture a video or picture or adjust lenses. Watch out for any movements that the camera does on its own without you commanding it to.
• Check your webcam security settings
  Look to see if your password or admin name has been changed, if you are no longer able to make changes to settings yourself, or if firewall protection on your camera has been turned off.
• Look at the data flow
  Your data flow will tell you how much internet data is being used when you’re online. If you notice any spikes, it could mean that data from your camera is being used without your knowledge.

Following these steps will certainly help you catch a hacker much quicker. However, a great way to stop them in their tracks completely is to have a good webcam cover so that they will not be able to see you should they break into your camera. 

Pro Tip
You can also physically cover your camera with a piece of tape when you’re not using it to prevent unauthorized access.