Credential Stuffing Explained in Plain English for Non-Tech People




The Internet
What is a Browser
What is Cache
What is a Cookie
What is Data in Transit
What is Data at Rest
What is a Data Packet
What is DNS
What is Encryption
What is End-to-End Encryption
What is HTTP/HTTPS
What is SSL/TLS

Your Company Network
What is Antivirus Software
What is DNS Content Filtering
What is Advanced Endpoint Security
What is a Firewall
What is a Modem
What is a Network
What is Remote Desktop (RDP)

Work from Anywhere
What is a Home Network
What is a Hotspot
What is a VPN
What is Wi-Fi

Life in the Cloud
What is the Cloud

Your Company Assets
What is Access Rights
What is a Data Inventory
What is Shadow IT
What is a Software Inventory
What is a Technology Roadmap
What is IT Asset Management (ITAM)
What are User Access Rights

Your Security Essentials
What is a Brute Force Attack
What is Credential Stuffing
What is an IP Blacklist
What is a Keylogger
What is Malware
What is Warshipping
What is a Whitelist


Do You Want to Learn More?

Now that you've read the short, plain English explanation, are you ready to go deeper?

We love questions. Just ask. We'll answer.


Ask Us Anything



What is Credential Stuffing?



Credential stuffing is a cyber attack where login credentials stolen through one organization's data breach are used to access another unrelated organization, site or service.

For example, suppose your manufacturing company, We Make Amazing Stuff, has a data breach and your employees’ user login information is taken in the heist. Attackers use these stolen login credentials to attempt access to your employees’ bank or healthcare provider services.

Neither the bank nor the healthcare company were involved in this (or maybe any) data breach. They simply became unsuspecting players in this attack chain.

Attackers know that a lot of us use the same username and password for more than one account. In many cases, our username is our email address which is even easier to obtain. 50% of the work has already been done for the attacker.

It's easy work for an attacker to try these same credentials with other companies, knowing they will likely have a small percentage of successful hits.





Why is Credential Stuffing Effective?



  • Stolen logins can come from any number of sources, such as a phishing attack, keylogger, warshipping, spearfishing, website breach, or internal network attack.

  • Credential stuffing is not the same as a brute force attack. Brute force hackers use algorithms to guess login information.




  • Even when the percentage of successful credential stuffing attacks is low, this tactic produces low-hanging fruit for attackers. The millions of credentials for sale on the dark web give attackers a continuous, fresh supply of easy targets.

  • Sophisticated bots have replaced the manual labor that hackers once relied on. These software driven automation tools mean that massive numbers of simultaneous logins can be attempted in a matter of seconds.


    • 6 Ways to Help Prevent Credential Stuffing



  • Run dark web scans regularly for your company. Remind users that their compromised login credentials should immediately be changed on every account for which they’re being used.

  • Implement multi-factor authentication (MFA) whenever it is practical. MFA, while seen as an inconvenience to users, is one of the simplest methods available to reduce credentials theft.

    It's important to know that MFA doesn't ensure that credentials can't be compromised. Hackers are continually finding new ways to circumvent safeguards. Documented cases are published in the security community regularly.

    Leading technology companies, such as Microsoft, Apple, and Google, know that bad actors are relentless in their thievery. These forward-thinking companies are rolling out the better-than-MFA level of user identify security.

    Microsoft, for example, has implemented passwordless authentication in Azure that doesn't use the authentication codes and tokens you commonly receive for MFA.

  • An email notification with a one-time login code is not true MFA. It is also a weaker form of security than other methods because it relies on the security of your email itself. It is fairly easy work for an attacker to compromise your email and receive the authentication code. 

  • Since phishing is an effective way for hackers to bypass MFA, regular simulated phishing tests with employees are important. These tests are a gentle reminder to users that phishing is an ongoing threat with serious results.

  • As inconvenient as it is, don’t reuse login credentials. Even if some of your accounts being accessed have implemented strong login protections, other accounts might not have done the same.

  • Companies that rely on login authentication from their internal users or customers, have an additional challenge. Even though their company might not have been compromised, stolen credentials from another company’s breach can be used to gain access to their data.

    If your company provides a client portal or application that requires user login, implementing MFA is a smart security practice.



    • How to Check Your Passwords



    If you’re curious about the integrity of your passwords, this is an easy checkup.

    This free web resource was created in 2017 in response to the National Institute of Standards and Technology (NIST) password management guidance. Your passwords will be checked against a database of hundreds of millions of passwords involved in data breaches.

      https://haveibeenpwned.com/Passwords



    Keep Discovering



    What is a Keylogger
    What is Malware
    What is Warshipping





    Your Essential Advanced Security Bundle Every Company Deserves


  • DNS web content filtering
  • Proactive 24/7/365 SOC breach monitoring and support
  • Advanced endpoint security, the next generation anti-virus
  • Get the details

    • Calculate Your Price











    Services
    Fractional CIO Partner
    MSP - CIO Partnership
    CIO Designed for SMBs
    IT Asset Management & Planning
    Business Cybersecurity Essentials
    Advanced Data Security Protection
    Technology Evaluation & Implementation

    Knowledge Hub
    eBooks & How To Guides
    Business & Technology Blog
    Technology in Plain English
    Tools, Templates, & Checklists
    Tech Savvy Leaders' Community
    Free Business Financial Calculators
     Our Partner Promise

    Quest Technology Group
    315 E. Robinson Street • Suite 525
    Orlando, FL 32801
    Phone: 407 . 843 . 6603

           

    © 1991-2024 Quest Technology Group, LLC All rights reserved. Your Privacy Matters