What is Credential Stuffing?
is a cyber attack where login credentials stolen through one organization's data breach are used to access another unrelated
organization, site or service.
For example, suppose your manufacturing company, We Make Amazing Stuff, has a data breach and your employees’ user login information is taken in the heist. Attackers use these stolen login credentials to attempt access to your employees’ bank or healthcare provider services.
Neither the bank nor the healthcare company were involved in this (or maybe any) data breach. They simply became unsuspecting players in this attack chain.
Attackers know that a lot of us use the same username and password for more than one account. In many cases, our username is our email address which is even easier to obtain. 50% of the work has already been done for the attacker.
It's easy work for an attacker to try these same credentials with other companies, knowing they will likely have a small percentage of successful hits.
Why is Credential Stuffing Effective?
Stolen logins can come from any number of sources, such as a phishing attack, keylogger, warshipping, spearfishing, website breach, or internal network attack.
Credential stuffing is not the same as a brute force attack. Brute force hackers use algorithms to guess login information.
Even when the percentage of successful credential stuffing attacks is low, this tactic produces low-hanging fruit for attackers. The millions of credentials for sale on the dark web give attackers a continuous, fresh supply of easy targets.
Sophisticated bots have replaced the manual labor that hackers once relied on. These software driven automation tools mean that massive numbers of simultaneous logins can be attempted in a matter of seconds.
6 Ways to Help Prevent Credential Stuffing
Run dark web scans regularly for your company. Remind users that their compromised login credentials should immediately be changed on every account for which they’re being used.
Implement multi-factor authentication (MFA) whenever it is practical. MFA, while seen as an inconvenience to users, is one of the simplest methods available to reduce credentials theft.
It's important to know that MFA doesn't ensure that credentials can't be compromised. Hackers are continually finding new ways to circumvent safeguards. Documented cases are published in the security community regularly.
Leading technology companies, such as Microsoft, Apple, and Google, know that bad actors are relentless in their thievery. These forward-thinking companies are rolling out the better-than-MFA level of user identify security.
Microsoft, for example, has implemented passwordless authentication in Azure that doesn't use the authentication codes and tokens you commonly receive for MFA.
An email notification with a one-time login code is not true MFA. It is also a weaker form of security than other methods because it relies on the security of your email itself. It is fairly easy work for an attacker to compromise your email and receive the authentication code.
Since phishing is an effective way for hackers to bypass MFA, regular simulated phishing tests with employees are important. These tests are a gentle reminder to users that phishing is an ongoing threat with serious results.
As inconvenient as it is, don’t reuse login credentials. Even if some of your accounts being accessed have implemented strong login protections, other accounts might not have done the same.
Companies that rely on login authentication from their internal users or customers, have an additional challenge. Even though their company might not have been compromised, stolen credentials from another company’s breach can be used to gain access to their data.
If your company provides a client portal or application that requires user login, implementing MFA is a smart security practice.
How to Check Your Passwords
If you’re curious about the integrity of your passwords, this is an easy checkup.
This free web resource was created in 2017 in response to the National Institute of Standards and Technology (NIST)
password management guidance. Your passwords will be checked against a database of hundreds of millions of passwords involved in data breaches.
What is a Keylogger
What is Malware
What is Warshipping
Your Essential Advanced Security Bundle Every Company Deserves
DNS web content filtering
Proactive 24/7/365 SOC breach monitoring and support
Advanced endpoint security, the next generation anti-virus
Get the details