Credential stuffing is one of the simplest types of external cyber attacks. Stolen account credentials typically consisting of lists of user names or email addresses and their corresponding passwords obtained from a data breach is used to gain access to other websites and services.
As human nature, we try to keep things as simple as we possibly can. Therefore it is not unusual for users to use the same email address, usernames, and the simplest and weakest password combinations across multiple sites. This practice makes the job of an attacker quite easy as they can use one piece of credential information to unlock numerous accounts.
Attackers will obtain stolen credentials from previous breaches that have been leaked. The stolen credentials can be found at the dark web, market places, and forums.
The strategy behind a credential stuffing attack is very straightforward. The attacker will take a list of email, username and password combinations and try to “stuff” those credentials into the login pages of other websites and services of interest. The list can range from hundred to one million usernames and passwords. The attacker(s) will launch a credential stuffing attack through the use of Botnets and the use of an automated script that cycles through the username and passwords obtained against multiple websites.
Due to the majority of reused and weak passwords, there is always a probability of a 1-2 percent success rate for account takeovers.
Attackers can look to monetize their credential stuffing attack once they have gained access to user accounts by stealing more personal data, gift card balances, credit card numbers, and more. The increased access to information makes the credential stuffing attack even more worthwhile.
Regularly check to see if your email accounts have been compromised on sites such as haveibeenpwned. This allows you to search across multiple data breaches to see if your email address has been compromised.
If your email account comes up against as an account that has been part of a security breach on a website, change your password for that account, but please remember if you are using the same password for multiple sites to change your password on other websites and services