Credential stuffing: Everything you need to know

Cyber    Vick Sandhu, February 18 2020
3 mins

Vick Sandhu

Cyber Analyst

Credential stuffing is one of the simplest types of external cyber attacks. Stolen account credentials typically consisting of lists of user names or email addresses and their corresponding passwords obtained from a data breach is used to gain access to other websites and services.

This post is part of a visual breakdown of credential stuffing attacks

As human nature, we try to keep things as simple as we possibly can. Therefore it is not unusual for users to use the same email address, usernames, and the simplest and weakest password combinations across multiple sites. This practice makes the job of an attacker quite easy as they can use one piece of credential information to unlock numerous accounts.

Attackers will obtain stolen credentials from previous breaches that have been leaked. The stolen credentials can be found at the dark web, market places, and forums.

The strategy behind a credential stuffing attack is very straightforward. The attacker will take a list of email, username and password combinations and try to “stuff” those credentials into the login pages of other websites and services of interest. The list can range from hundred to one million usernames and passwords. The attacker(s) will launch a credential stuffing attack through the use of Botnets and the use of an automated script that cycles through the username and passwords obtained against multiple websites.

Due to the majority of reused and weak passwords, there is always a probability of a 1-2 percent success rate for account takeovers.

Attackers can look to monetize their credential stuffing attack once they have gained access to user accounts by stealing more personal data, gift card balances, credit card numbers, and more. The increased access to information makes the credential stuffing attack even more worthwhile.

How to prevent yourself from being a victim of a credential stuffing attack

Regularly check to see if your email accounts have been compromised on sites such as haveibeenpwned. This allows you to search across multiple data breaches to see if your email address has been compromised.

If your email account comes up against as an account that has been part of a security breach on a website, change your password for that account, but please remember if you are using the same password for multiple sites to change your password on other websites and services

  • Use strong passwords - Use hard-to-crack passwords. Never ever set a password that contains birthdays, anniversary dates, or simply your name. Hackers can easily find this information with a little digging. Ensure that the passwords are 8-10 characters long. Always use a combination of a wide variety of character types, including uppercase and lowercase letters, numbers, special characters, spaces or underscores.
  • Save passwords at a safe place - Don’t store passwords at locations in your computer system where it can be easily viewed and accessed by hackers. Also, never say out your passwords loud to anyone. Start using a password manager application that allows you to store, manage, and secure passwords for multiple accounts. These passwords are stored in an encrypted manner, which means that all your passwords are safe and secure. But, the only thing you need to keep in mind is to have a very strong password for your password manager application.
  • Use two-factor authentication security method - Two-way authentication method is one of the most powerful ways to mitigate the risks of attacks
  • Change passwords frequently - One of the basic ways to defend against credential stuffing attacks is to set unique passwords and to change it regularly. Never use the same passwords across multiple accounts.