What is credential stuffing & how does it work?
Credential stuffing is a ‘brute force attack’ that uses bots to automatically inject combinations of usernames and passwords collected from previously breached data files until they match an existing account. Credential stuffing occurs when your company or several companies fail to protect their data.
Attacks typically comprise of three elements:
- Attackers build a document containing your email address and various passwords
- A bot uses a brute force attack using combinations of all these email addresses and passwords
- When a bot finds a match to an existing account, the cybercriminal now has access to your data
Why do attackers use credential stuffing?
It is the most effective type of brute force attack and more successful than attacks that guess passwords based on ‘dictionaries’ of common password and password selection errors. Credit card fraud is the most popular motive, allowing criminals to make purchases from false accounts; hence, eCommerce businesses are usually the target/victim.
Credential stuffing allows cybercriminals to:
- Gain access to accounts
- Sell data to other criminals
- Commit ID theft and fraud
- Ransom the information in the account (extortion)
- Damage a company’s or individual’s reputation.
Is credential stuffing illegal?
Yes – It is unlawful to attempt unauthorised acquisition of personal information that compromises the security, confidentiality, or integrity of personal information. Basically, it is illegal to have this information and illegal to use it. GDPR laws state how companies and individuals collect, store and use personal data.
How common is credential stuffing?
Billions of records are being stolen, making credential stuffing one of the most common techniques used to access online accounts.
The potential consequences of attacks
- Unsuccessful attack
- Traffic spikes
- Analytic anomalies
- Server downtime
- Successful attack
- Reputational damage – the company loses business and partners
- Financial damage – up to 4% of global annual turnover, if found in violation of the EU’s General Data Protection Regulation (GDPR).
- Feelings of being violated, fear, and anxiety.
- While some cybercriminals will only take a small amount regularly in the hopes that the lost money isn’t noticed, some attackers will take a devastating amount, preventing individuals from upholding commitments, getting them into debt, and causing a bad credit rating. Some attackers make purchases from credit cards knowing that the person can request a chargeback; however, this hurts the merchant. Learn more about chargeback management here.
- There are further additional costs when considering the time it takes to investigate and resolve cases.
How to detect credential stuffing
You can spot credential stuffing by noticing continuously failed logins. The software can help detect this with a bot detection solution that provides a user attempts suit report.
How to prevent credential stuffing:
Four steps that will help you prevent credential stuffing include:
- Penetration testing to prevent data breaches as a company
- Using strong password security and password managers to protect yourself as an individual
- Companies introducing multi-factor / biometric authentication as an option
- Training workforce members to defend against automated e-commerce bot attacks
What to do if you have been a victim of credential stuffing
Companies should introduce and follow their Business Continuity (BC) and Disaster Recovery (DC) plan. Individuals should follow the advice outlined by the company. Alert the authorities.
Credential stuffing in the news
- Dunkin’ Donuts was the victim of an account takeover attack. Cybercriminals used usernames and passwords from previous data breaches to access 1,200 customer DD Perks rewards accounts intending to sell access to the accounts and their reward points.
- Disney+ streaming service was hit by disruption as vast volumes of previously stolen user names and passwords were tested and then put up for sale on dark web forums.