Do you know what credential stuffing is?

Have you heard of credential stuffing? This form of cyberattack is one of the most common data breach causes. Through credential stuffing attacks, cybercriminals use stolen usernames and passwords obtained from one organization, typically during a data breach or through purchasing them off of the dark web. These stolen credentials are used to access accounts at another separate organization.

A vast number of people reuse their passwords across multiple accounts. Unfortunately, this is a poor cybersecurity practice as the risks for credential stuffing are only growing as an increasing number of credentials are exposed through data breaches.

Learning more about credential stuffing can help you protect yourself from the risks that it can bring with it.

How does credential stuffing work?
The list of stolen usernames and password pairs is added to a botnet. This botnet then automates the process of testing the stolen username and password pairs on several websites, all at the same time. The goal is to find accounts where users may have reused login credentials.
A botnet attack can overwhelm the IT infrastructure of a business, with their websites seeing more than 180 times their usual traffic when an attack is being carried out.

Consider how this could impact the individual user.

  • Your account credentials for your favorite streaming service are the very same credentials you use for your social media accounts and your bank account.
  • Once a cybercriminal has access to your account, they have access to all of the data within the account. They can do with it as they please.

This could include the following.

  • Selling account access. This is quite commonly seen with media streaming services.
  • eCommerce account fraud. Cybercriminals with access to a user’s account can impersonate them and place orders in their name. This is very common. eCommerce is considered to be one of the most vulnerable verticals when it comes to credential stuffing.
  • Corporate data theft. Certainly, the above concerns can bring with them serious and costly consequences for both the company and customer. But it is the potential loss of data that can be most damaging for a business. If a cybercriminal is able to successfully gain access to the account of an employee, they could potentially gain access to a wide range of sensitive data. This could include social security numbers, addresses, credit card and direct deposit banking details, and additional login credentials.

How does credential stuffing measure up to a brute force attack?

Broadly speaking, credential stuffing is categorized as a form of brute force attack. In reality, the two are quite different, as are the most beneficial ways to secure yourself and your systems against each of them.

A brute force attack is a best effort to guess a password by changing the numbers and characters, very often in certain patterns or with frequently used base passwords and password phrases. To protect against a brute force attack attempt, a system can be set to limit the number of failed login attempts. In addition, users can be required to use stronger passwords and CAPTCHA verification can be used.

The strongest password will not prevent a cybercriminal from getting access to an account using credential stuffing methods. This is because they already have access to the password. Even other brute force protection methods can be limited because users quite often change passwords in patterns that are somewhat predictable. If a cybercriminal has a breached password to begin with, it’ll be a short step to figure out what the changed password is. As example, many may simply change the year at the end of the password. Password2021 will soon be Password2022.

Can you prevent a credential stuffing attack?

If we’re honest, most of us do know that reusing passwords is an unsafe cybersecurity practice. But we opt to reuse the same passwords across multiple sites and apps anyway, largely because of password fatigue. The average person can have dozens of passwords to try and remember. Certainly, password managers are a valid option for most people. But adoption rates for password managers are low.

In order to prevent a credential stuffing attack, it is up to the organization to take the appropriate cybersecurity measures. One of these methods could include altogether removing passwords. Removing passwords from the equation can help to keep cybercriminals from using stolen credentials in order to access the accounts of their users.

Passwordless authentication can help to avoid credential stuffing because it verifies the user with something that they have (whether a device or some other security token), or through something that they are (biometric methods), instead of using a password. A passwordless solution can also help to provide a better login experience for the user. It has the potential to save the organization time and resources that would otherwise have been spent on needing to deal with password resets.

Password authentication can help to eliminate credential stuffing attacks, but it is a highly secure, user-friendly, and cost effective solution over using the traditional username and password pairing authentication.