To reduce the risk of cybercriminals accessing your sensitive information, you need to set unique passwords for your online accounts. However, remembering multiple passwords can be difficult. In fact, a recent study by NordPass found that the average person manages around 100 passwords. This is why people are often tempted to reuse passwords for multiple accounts. While this may be convenient, it makes their accounts vulnerable to credential stuffing.
What is credential stuffing?
Credential stuffing involves a cybercriminal using a victim’s login credentials — typically obtained through massive data breaches or phishing — to access the victim’s other online accounts.
How does credential stuffing work?
Credential stuffing starts with a cybercriminal collecting login credentials exposed in previous data breaches. Then, they leverage a bot that can automatically log into multiple user accounts at the same time and check if those stolen credentials will work on other websites.
Credential stuffing involves a cybercriminal using a victim’s login credentials — typically obtained through massive data breaches or phishing — to access the victim’s other online accounts.
Once they successfully access an account, the hacker can steal sensitive data such as full names, home addresses, Social Security numbers, and bank account numbers, among other information. They can also get a hold of trade secrets and intellectual property. What’s more, the attackers can use the compromised account to send spam or phishing emails to the victim’s contacts.
How does credential stuffing differ from brute force attacks?
The Open Web Application Security Project categorizes credential stuffing as a subset of brute force attacks. However, the two are actually different.
Brute force attacks attempt to guess passwords with no context or clues, using random characters and common password combinations. Meanwhile, credential stuffing uses exposed data to get clues on the possible password for an account.
Using strong passwords consisting of several characters and including uppercase letters, numbers, and special characters can protect against brute force attacks. However, password strength is not enough to protect against credential stuffing. This is because if a password is shared across different accounts, it can still be hijacked via a credential stuffing attack.
How has credential stuffing affected businesses?
According to cloud service company Akamai Technologies, 193 billion credential stuffing attacks were recorded globally in 2020.
Large corporations can also be affected by credential stuffing attacks. Back in 2019, project management company Basecamp noticed a huge spike in login attempts to its service. To stop the attack, the company blocked the suspicious IP addresses and enabled a CAPTCHA system. However, attackers still managed to hijack 124 Basecamp accounts. And in April 2020, more than half a million Zoom accounts were compromised via credential stuffing. The login credentials were then sold on the dark web.
How can you prevent credential stuffing attacks?
To protect your company from credential stuffing attacks, you need to follow these best practices:
1. Enable multifactor authentication (MFA)
MFA requires users to provide one or more authentication factors aside from a password, such as a one-time passcode (OTP), facial or fingerprint scan, or physical key. This way, even if a cybercriminal acquires a set of login credentials, they won’t be able to access the account without providing the subsequent authentication factors.
2. Use a password manager
A password manager securely stores and manages a user’s login credentials. Instead of having to remember dozens of passwords or using the same ones across multiple sites, you can leverage a password manager to do the hard work for you.
3. Use data breach monitoring services
Data breach monitoring sites like Have I Been Pwned let you verify if any of your emails have been compromised. This can also help you see if any business information is showing up on restricted forums.
4. Partner with a reliable managed IT services provider (MSP)
MSPs like Complete Document Solutions can help you strengthen your cyberdefenses by providing 24/7 monitoring and incident response services. We can also help you deploy effective security measures to protect your business from credential stuffing attacks. Get a FREE network and IT assessment today.
Leave a comment!