{"id":51199,"date":"2024-05-07T09:59:15","date_gmt":"2024-05-07T13:59:15","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=51199"},"modified":"2024-05-07T09:59:15","modified_gmt":"2024-05-07T13:59:15","slug":"what-is-credential-stuffing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/what-is-credential-stuffing\/51199\/","title":{"rendered":"What is a credential stuffing attack?"},"content":{"rendered":"<p>Millions of accounts fall victim to credential stuffing attacks each year. This method has become so widespread that back in 2022, one authentication provider reported <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/okta-credential-stuffing-accounts-for-34-percent-of-all-login-attempts\/\" target=\"_blank\" rel=\"nofollow noopener\">an average of one credential stuffing attempt for every two legitimate account logins<\/a>. And it\u2019s unlikely that the situation has improved over the past couple of years. In this post, we\u2019ll discuss in detail how credential stuffing works, what data attackers use, and how you can protect your organization\u2019s resources from such attacks.<\/p>\n<h2>How credential stuffing attacks work<\/h2>\n<p>Credential stuffing is one of the most effective ways to compromise user accounts. Attackers leverage vast databases of pre-obtained usernames and passwords for accounts registered on various platforms. They then try these credentials en masse on other online services, hoping that some will work.<\/p>\n<p>This attack preys on the unfortunate habit that many people have of using the same password for multiple services \u2013 sometimes even relying on a single password for everything. As a result, attackers inevitably succeed in hijacking accounts with passwords that victims have used on other platforms.<\/p>\n<p>Where do these databases come from? There are three main sources:<\/p>\n<ul>\n<li>Passwords stolen through mass phishing campaigns and phishing sites.<\/li>\n<li>Passwords intercepted by malware specifically designed to steal credentials \u2013 known as stealers.<\/li>\n<li>Passwords leaked through breaches of online services.<\/li>\n<\/ul>\n<p>Data breaches provide cybercriminals with the most impressive number of passwords. The record holder is the 2013 Yahoo! breach that <a href=\"https:\/\/www.theverge.com\/2017\/10\/3\/16414306\/yahoo-security-data-breach-3-billion-verizon\" target=\"_blank\" rel=\"nofollow noopener\">exposed a whopping 3 billion records<\/a>.<\/p>\n<p>It\u2019s important to note that services typically don\u2019t store passwords in plain text <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-store-passwords\/49101\/\" target=\"_blank\" rel=\"nofollow noopener\">but use so-called hashes instead<\/a>. After a successful breach, attackers need to crack these hashes. The simpler the password, the less time and resources it takes to crack it. Therefore, users with weak passwords are most at risk after a data breach.<\/p>\n<p>However, if cybercriminals really need it, even the strongest password in the world is likely to be cracked eventually if its hash was exposed in a leak. So no matter how strong your password is, avoid using it across multiple services.<\/p>\n<p>Not surprisingly, stolen password databases continue to grow and accumulate new data. This results in colossal archives containing entries far exceeding the population of the Earth. In January 2024, the largest password database known to date was discovered, containing a staggering <a href=\"https:\/\/cybernews.com\/security\/billions-passwords-credentials-leaked-mother-of-all-breaches\/\" target=\"_blank\" rel=\"nofollow noopener\">26 billion records<\/a>.<\/p>\n<h2>Protecting against credential stuffing attacks<\/h2>\n<p>To shield your organization\u2019s resources from credential stuffing attacks, we recommend implementing the following security measures:<\/p>\n<ul>\n<li><a href=\"https:\/\/k-asap.com\/en\/?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">Educate your employees on cybersecurity best practices<\/a>, emphasizing the dangers of password reuse.<\/li>\n<li>Develop and enforce a <a href=\"https:\/\/www.kaspersky.com\/blog\/bad-password-policies\/49212\/\" target=\"_blank\" rel=\"noopener nofollow\">sensible password policy<\/a>.<\/li>\n<li>Encourage the use of <a href=\"https:\/\/www.kaspersky.com\/password-manager?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener nofollow\">password managers<\/a> to generate and store strong and unique character combinations. The application will also monitor for data breaches and recommend changing a password if it is already in a known database.<\/li>\n<li>Finally, mandate the use of <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-two-factor-authentication\/48289\/\" target=\"_blank\" rel=\"noopener nofollow\">two-factor authentication<\/a> wherever possible. It\u2019s the most effective way to protect against not only credential stuffing but also other account takeover attacks.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>In addition, apply the <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-the-principle-of-least-privilege\/50232\/\" target=\"_blank\" rel=\"noopener nofollow\">principle of least privilege<\/a> to mitigate the impact of successful credential stuffing attacks in advance and, of course, use <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener nofollow\">reliable protection<\/a> on all corporate devices.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kasap\">\n","protected":false},"excerpt":{"rendered":"<p>A credential stuffing attack is one of the most effective ways to take control of accounts. Here\u2019s how it works and what you should do to protect your company.<\/p>\n","protected":false},"author":2726,"featured_media":51200,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052,2683],"tags":[1218,3146,2672,111,2141,405,187,422],"class_list":{"0":"post-51199","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"category-threats","11":"tag-2fa","12":"tag-account-hijacking","13":"tag-accounts","14":"tag-attacks","15":"tag-business","16":"tag-password-manager","17":"tag-passwords","18":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/what-is-credential-stuffing\/51199\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/what-is-credential-stuffing\/27404\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/what-is-credential-stuffing\/22728\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/what-is-credential-stuffing\/30089\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/what-is-credential-stuffing\/27559\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/what-is-credential-stuffing\/37385\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/what-is-credential-stuffing\/27709\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/what-is-credential-stuffing\/33558\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/what-is-credential-stuffing\/33220\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/passwords\/","name":"passwords"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/51199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=51199"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/51199\/revisions"}],"predecessor-version":[{"id":51201,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/51199\/revisions\/51201"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/51200"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=51199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=51199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=51199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}