Dozens of major data breaches in the U.S. have leaked countless usernames and passwords to the dark web and into the hands of hackers. Yours may be among them, and if you reused your passwords elsewhere, your accounts could be at risk of credential stuffing.
What is Credential Stuffing?
Credential stuffing is when cybercriminals use your stolen credentials from one account and use them on another, trying to steal data or for an account takeover. Usernames and passwords are leaked or stolen in data breaches frequently, and they end up in massive databases on the dark web for sale. Anyone who purchases them may have your account details. Once they do, they will try to use them on other accounts such as bank accounts, Netflix, credit card company accounts, and other places.
Statistics show that credential stuffing is one of the major causes of subsequent data breaches. The problem is that roughly 65% of people reuse usernames/emails and passwords on multiple accounts, making it easy for criminals to get in. Threat experts say there are billions of stolen credentials online, among them some of yours are probably included.
Credential stuffing is often confused with brute force attacks, but they are different. Brute force attacks are another type of cyberattack where hackers use automation to guess random passwords rather than use those stolen in a data breach.
How Does a Credential Stuffing Attack Work?
Typically, a hacker will get ahold of a batch of user credentials and create or purchase a program or use a network of linked devices (botnet) that automatically trolls the intent and tries those credentials on other logins.
These large-scale attacks can overwhelm a system and cause a Distributed Denial of Service (DDoS) attack in the process. Often hackers use a botnet so that each login appears to come from a different IP address, so they do not get locked out from too many attempts from the same location. Online login forms often limit floods of activity to shut out hackers.
The Value of Credential Harvesting
Some of the most valuable credentials found on the dark web are for Netflix, Disney+, and Spotify. Bank accounts, credit cards, web applications, and other financial logins are also especially profitable for cybercriminals.
Email accounts, social security numbers, driver’s license numbers, passports, and other personally identifiable information (PII) is also like gold to hackers because they can use it for identity theft or fraud.
In recent years hackers have combined large numbers of data breach sets into massive databases called “Collections” to date, there are Collections #1-5 totaling billions of username/password combinations. Since these compilations, credential stuffing attacks have spiked. These collections range in price from $9,350 (Bitcoin) to $20,000 on the dark web.
The good news is many of these login credentials were stolen in old data breaches, and the owners have since changed their passwords, so they no longer work.
Attackers have to use millions of account credentials to achieve even a 1-2% success rate. Some attackers simply want to break in only to steal more information to sell on the dark web. Others take over the account and change the login so that the rightful owner can no longer access it. In other cases, they may steal money or credit card numbers stored within the account and charge purchases on them. The worst is when they can access your bank account and drain the funds before you find out about it.
Credential Stuffing Prevention
The best way you can protect yourself against credential harvesting is to always use unique passwords on all of your accounts and change them often. Some other tips to stay safe and prevent this type of attack are:
Use really long, strong passwords on all your accounts.
Avoid password reuse at all costs.
Invest in a good password vault or a password manager to keep all your password pairs locked up safe.
Turn on two-factor authentication whenever possible on all your online accounts.
Never click links in emails or download attachments. Hackers get you to provide credentials using phishing attacks. Links and downloads often install malware on your device.
Use biometric or multi-factor authentication (like fingerprinting) for logging in. Many mobile apps allow this.
Protect your personal data whenever possible.
Use IDStrong’s random strong password generator
What Are Companies Doing to Avoid Credentials Stuffing?
Companies like Netflix, Google, Nest, and Dunkin’ Donuts have experienced huge credential stuffing attacks. Since then, many of these large companies are beefing up their cybersecurity measures. Some like Google may force a password reset after a specific length of time or lock you out after a certain number of failed login requests. Some organizations actually check data breaches in a very proactive approach to see if their user’s accounts were found and then force a password reset.
Threat experts suggest that companies get in the habit of tracking IP addresses when an account is breached to create a blacklist of spoiled IPs, which will hamper the attackers’ efforts. Basecamp withstood an attack of 30,000 failed login attempts in one hour. They immediately began blocking IPs and added a CAPTCHA to their login form to prevent automated logins from non-legitimate users. That one attack resulted in only 124 user accounts being compromised.
Another very effective way to prevent credential harvesting from the corporate side of things is to institute two-factor authentication into your system. It will require that anyone trying to log in provide additional information such as a text message or emailed code. Even if a hacker has authentic credentials, they won’t likely be able to continue without that code. It may prevent a good number of user accounts from being breached. Another option is to invest in biometric logins or multi factor authentication (MFA) and ditch passwords altogether.
Even though the loss for the customer may be significant, the impact on a retailer is even worse. Your reputation may be tarnished, and you may lose business as backlash for not protecting user accounts as well as possible.
Another side effect may be a blow to your information security department and downtime of your systems. Putting preventative measures into place is less costly in the long run. As these attacks become more prevalent, there is also the question of compliance. Some government agencies (such as the GDPR) sanction companies that do not do enough to protect their customers’ and employees’ data.