What is Credential Stuffing, How Does It Work

Strategic IT Services

Fractional CIO Services
Strategic technology peace of mind for company leaders

Tech Leadership Designed for SMBs
Technology partnership for small & midsized business leaders

Strategic MSP Services
Expand your MSP services to include business technology strategy

Studio CXO
Knowledge sharing and collaboration for business & tech leaders

Business & Technology Leaders Free Community
Not-another-social-media community designed for growth-minded leaders
Cybersecurity

Business Protection Services
Protection that's right for your business

Free Cybersecurity Risk Tolerance Assessment
Cybersecurity risk tolerance should align with business goals

Free Cybersecurity Risk Appetite Assessment
Cybersecurity risk appetite impacts your technology decisions
Knowledge Hub

Blog
Latest business technology insights and ideas

Actionable Guides & Practical eBooks for Business Leaders
Align business goals & the right technology in plain English

The Questionary
Technology explained in plain English

Free Tools
Free tips, checklists, templates
About Us
Contact Us
Get Your Action Tips

What is Credential Stuffing?

Credential stuffing is a cyber attack where login credentials stolen through one organization's data breach are used to access another unrelated organization, site or service.

For example, suppose your manufacturing company, We Make Amazing Stuff, has a data breach and your employees’ user login information is taken in the heist. Attackers use these stolen login credentials to attempt access to your employees’ bank or healthcare provider services.

Neither the bank nor the healthcare company were involved in this (or maybe any) data breach. They simply became unsuspecting players in this attack chain.

Attackers know that a lot of us use the same username and password for more than one account. In many cases, our username is our email address which is even easier to obtain. 50% of the work has already been done for the attacker.

It's easy work for an attacker to try these same credentials with other companies, knowing they will likely have a small percentage of successful hits.

Why is Credential Stuffing Effective?

Stolen logins can come from any number of sources, such as a phishing attack, keylogger, warshipping, spearfishing, website breach, or internal network attack.

Credential stuffing is not the same as a brute force attack. Brute force hackers use algorithms to guess login information.

Even when the percentage of successful credential stuffing attacks is low, this tactic produces low-hanging fruit for attackers. The millions of credentials for sale on the dark web give attackers a continuous, fresh supply of easy targets.

Sophisticated bots have replaced the manual labor that hackers once relied on. These software driven automation tools mean that massive numbers of simultaneous logins can be attempted in a matter of seconds.

6 Ways to Help Prevent Credential Stuffing

Run dark web scans regularly for your company. Remind users that their compromised login credentials should immediately be changed on every account for which they’re being used.

Implement multi-factor authentication (MFA) whenever it is practical. MFA, while seen as an inconvenience to users, is one of the simplest methods available to reduce credentials theft.

It's important to know that MFA doesn't ensure that credentials can't be compromised. Hackers are continually finding new ways to circumvent safeguards. Documented cases are published in the security community regularly.

Leading technology companies, such as Microsoft, Apple, and Google, know that bad actors are relentless in their thievery. These forward-thinking companies are rolling out the better-than-MFA level of user identify security.

Microsoft, for example, has implemented passwordless authentication in Azure that doesn't use the authentication codes and tokens you commonly receive for MFA.

An email notification with a one-time login code is not true MFA. It is also a weaker form of security than other methods because it relies on the security of your email itself. It is fairly easy work for an attacker to compromise your email and receive the authentication code.

Since phishing is an effective way for hackers to bypass MFA, regular simulated phishing tests with employees are important. These tests are a gentle reminder to users that phishing is an ongoing threat with serious results.

As inconvenient as it is, don’t reuse login credentials. Even if some of your accounts being accessed have implemented strong login protections, other accounts might not have done the same.

Companies that rely on login authentication from their internal users or customers, have an additional challenge. Even though their company might not have been compromised, stolen credentials from another company’s breach can be used to gain access to their data.

If your company provides a client portal or application that requires user login, implementing MFA is a smart security practice.

How to Check Your Passwords

If you’re curious about the integrity of your passwords, this is an easy checkup.

This free web resource was created in 2017 in response to the National Institute of Standards and Technology (NIST) password management guidance. Your passwords will be checked against a database of hundreds of millions of passwords involved in data breaches.

https://haveibeenpwned.com/Passwords

Keep Discovering

What is a Keylogger
What is Malware
What is Warshipping

Your Essential Advanced Security Bundle Every Company Deserves

DNS web content filtering

Proactive 24/7/365 SOC breach monitoring and support

Advanced endpoint security, the next generation anti-virus

Get the details

Calculate Your Price

Credential Stuffing Explained in Plain English for Non-Tech People