passwords What is a credential stuffing attack? A credential stuffing attack is one of the most effective ways to take control of accounts. Here’s how it works and what you should do to protect your company. Alanna Titterington May 7, 2024 Millions of accounts fall victim to credential stuffing attacks each year. This method has become so widespread that back in 2022, one authentication provider reported an average of one credential stuffing attempt for every two legitimate account logins. And it’s unlikely that the situation has improved over the past couple of years. In this post, we’ll discuss in detail how credential stuffing works, what data attackers use, and how you can protect your organization’s resources from such attacks. How credential stuffing attacks work Credential stuffing is one of the most effective ways to compromise user accounts. Attackers leverage vast databases of pre-obtained usernames and passwords for accounts registered on various platforms. They then try these credentials en masse on other online services, hoping that some will work. This attack preys on the unfortunate habit that many people have of using the same password for multiple services – sometimes even relying on a single password for everything. As a result, attackers inevitably succeed in hijacking accounts with passwords that victims have used on other platforms. Where do these databases come from? There are three main sources: Passwords stolen through mass phishing campaigns and phishing sites. Passwords intercepted by malware specifically designed to steal credentials – known as stealers. Passwords leaked through breaches of online services. Data breaches provide cybercriminals with the most impressive number of passwords. The record holder is the 2013 Yahoo! breach that exposed a whopping 3 billion records. It’s important to note that services typically don’t store passwords in plain text but use so-called hashes instead. After a successful breach, attackers need to crack these hashes. The simpler the password, the less time and resources it takes to crack it. Therefore, users with weak passwords are most at risk after a data breach. However, if cybercriminals really need it, even the strongest password in the world is likely to be cracked eventually if its hash was exposed in a leak. So no matter how strong your password is, avoid using it across multiple services. Not surprisingly, stolen password databases continue to grow and accumulate new data. This results in colossal archives containing entries far exceeding the population of the Earth. In January 2024, the largest password database known to date was discovered, containing a staggering 26 billion records. Protecting against credential stuffing attacks To shield your organization’s resources from credential stuffing attacks, we recommend implementing the following security measures: Educate your employees on cybersecurity best practices, emphasizing the dangers of password reuse. Develop and enforce a sensible password policy. Encourage the use of password managers to generate and store strong and unique character combinations. The application will also monitor for data breaches and recommend changing a password if it is already in a known database. Finally, mandate the use of two-factor authentication wherever possible. It’s the most effective way to protect against not only credential stuffing but also other account takeover attacks. In addition, apply the principle of least privilege to mitigate the impact of successful credential stuffing attacks in advance and, of course, use reliable protection on all corporate devices.
Read next The sound of online trackers Every time a browser interacts with an advertising tracker, a program called Googerteller emits a short sound.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.