What is Credential Stuffing?
Credential stuffing is a type of cyberattack where hackers use lists of stolen credentials, like usernames and passwords, and try them on other online accounts. The goal is to gain unauthorized access to user accounts through exploiting reused credentials.
Hackers obtain lists of credentials from data breaches of websites and online services. They then use automated tools to try the username and password combinations on login pages of other sites, hoping users reuse the same credentials across multiple services.
Successful credential stuffing attacks allow cybercriminals to take over user accounts, leading to identity theft, fraud, and data breaches. According to security firm Shape Security, 90% of login attempts come from credential stuffing attacks.
How Credential Stuffing Attacks Work
Credential stuffing follows these steps:
- Hackers steal credential lists from website breaches.
- They compile the credentials into automated tools.
- The tools then systematically try the username and password pairs on login pages of other sites.
- When valid credentials are found, the accounts are compromised.
- Attackers can then steal personal data or commit fraud.
Criminals use botnets with thousands of infected devices to distribute the workload and try billions of credential combinations. The automated nature makes these attacks easy to scale up.
Dangers of Credential Stuffing
Successful credential stuffing attacks can have serious consequences:
- Account takeover – Criminals gain access to user accounts.
- Identity theft – Attackers steal personal information from compromised accounts.
- Financial fraud – Stolen accounts used to make unauthorized transactions.
- Data breaches – Breached accounts used to access databases and steal data.
- Reputational damage – Organizations suffer loss of customer trust and legal liabilities.
With the growing frequency of data breaches, credential stuffing is becoming a highly lucrative attack vector for hackers. According to Akamai, credential abuse attempts grew by 30,000% between 2017 and 2018.
How to Prevent Credential Stuffing
Here are some best practices organizations and individuals can follow to guard against credential stuffing:
Use Unique Passwords
- Using the same password across multiple sites makes you vulnerable.
- Create a unique, complex password for every account.
- Use a password manager to generate and store passwords.
Enable Multi-Factor Authentication
- Add an extra layer of security with multi-factor authentication (MFA).
- MFA requires you to enter a one-time-code sent to your phone when logging in.
- Even with stolen passwords, hackers can’t access accounts protected by MFA.
Monitor Login Attempts
- Enable login notifications to monitor unauthorized access attempts.
- Review failed logins to detect signs of credential stuffing attacks.
- Set up alerts for suspicious IP addresses.
Limit Account Login Attempts
- Automatically lock accounts after a few invalid login attempts.
- It slows down credential stuffing tools.
- Legitimate users can unlock via verification.
Deploy Web Application Firewalls
- A WAF inspects traffic and can identify credential stuffing tools.
- It can block suspicious IPs engaging in credential stuffing behaviors.
- A WAF also protects apps from other attacks like SQL injection.
Avoid Credential Reuse
- If your credentials are compromised in a breach, change them on all other accounts.
- Never reuse passwords across different sites and services.
- Use the “Forgot password” option if you don’t remember old passwords.
Staying vigilant against credential stuffing and utilizing these measures will help keep your accounts secure from automated credential abuse attacks.
