Credential stuffing refers to the practice of hackers entering stolen credentials into the login pages of multiple digital services to see if they can gain unauthorised access to the accounts.
These legitimate details are usually purchased on the dark web from collections accrued during major data breaches and phishing attacks.
This type of cyber-attack relies heavily on people reusing passwords or only slightly varying them across a range of channels, regardless of account importance. To a website, these attacks appear to be the same as any other login attempt and therefore often go undetected.
The automated tools disguise hackers by making login requests appear to be from multiple devices and IP addresses to bypass standard security controls. More advanced tools can even defeat captcha and multifactor authentication.
With a very low success rate and the issue of how to monetise their findings, hackers must be prepared to play the long game for a significant pay day.
Credential theft can result in multiple benefits for hackers including: financial gain, free goods/services, competitor insight, a new identity, and the data needed to facilitate other cyber attacks.
For the victim, however, a credential stuffing attack could negatively impact their finances, reputation, and customers’ loyalty.
Why Does It Matter?
A series of high profile data breaches over the last few years have made available for free a wealth of credentials on the dark web for malicious actors to exploit.
These well-known collections of varying black market value plus the advancement of automation tools, have sparked an upward trend of credential stuffing attacks across all industries.
Hackers are particularly fond of the following industries for their lax security, valuable data, or the social benefits they offer: retail/e-commerce, gaming, health care, higher education, financial institutions, SMEs, video streaming services, and social media.
The issue for companies is figuring out the delicate balance between protecting their digital services from attackers without restricting access for legitimate users and impacting the customer experience.
The first line of defence is therefore user education around regularly creating strong and unique passwords for every digital account.
While a company is in control of its own password policy, the issue of reuse is nearly impossible to enforce.
Companies should consider the benefit of making password manager tools available to employees to reduce their overall risk. Other methods of protection businesses can employ include:
- Blacklisting offending IP addresses.
- Regularly checking compromised credentials and prompting password changes where necessary.
- Establishing geofences to block traffic from outside specific consumer regions.
- Enabling multifactor authentication and captcha.
- Rate limiting to lock users out after a set number of login attempts.
- Regularly patching and updating threat prevention and detection software.
- Sending emails for successful or failed login attempts.
- Avoiding public Wi-Fi, where possible, or using VPNs for extra protection.