Credential Stuffing Explained

Why Businesses And Individuals Are At Risk

In today’s world, where we have access to so many different services, applications and online retail markets, we have never before had a greater reliance on login credentials (typically a username + password). Every online service we engage with requires an account and each of those accounts SHOULD have their own unique credentials. However, that is typically not the case.

In the 2019 Google/Harris Online Security Survey, 52% of participants used the same password for multiple accounts, whilst 13% used the same password for all accounts. Password reuse trends haven’t declined like they should since then, according to the Spycloud 2024 Annual Identity Exposure Report, 74% of victims involved in more than one data breach were reusing their passwords.

Reusing passwords is easy and convenient, but also careless and negligent to yourself, your business, and any of the services you engage with online. The main reason is it creates a major vulnerability in the security systems that are supposed to be protecting you. Think of it as locking the front door to your home every night, but leaving the spare key in plain sight. It makes it easier for threat actors to do considerable damage, and they achieve this with a common cyber technique called Credential Stuffing.

Understanding Credential Stuffing

Credential stuffing isn't a complex hack exploiting software vulnerabilities. Instead, it's a type of brute force tactic where cybercriminals leverage vast databases of stolen usernames and passwords, often obtained from major data breaches. They then use automated bots to try these leaked credentials on countless websites, hoping that victims have reused their logins across different platforms. Here is a worked example of how credential stuffing can affect someone who reuses their password for multiple popular services:

Why Is It So Dangerous?

1. It's Automated and Scalable: Bots work tirelessly, trying thousands of username-password combinations per minute on numerous sites. This automation amplifies the threat potential.

2. Reusing Passwords is the Key Weakness: Many people use the same passwords across various platforms. A single data breach gives attackers the ammunition they need to potentially compromise other accounts.

3. Difficult to Distinguish: Credential stuffing attacks can mimic legitimate login traffic, making detection challenging for standard security systems.

Consequences for Individuals and Businesses

• Account Takeovers: Successful credential stuffing attacks can allow hackers to take over your accounts on e-commerce sites, social media, or even your bank, leading to financial fraud or identity theft.

• Data Theft: Attackers can access and steal sensitive data stored within compromised accounts.

• Brand Damage: Businesses suffering credential stuffing attacks often experience reputational harm as customers lose trust.

How to Protect Yourself and Your Business

1. Unique, Strong Passwords Are Paramount: The number one defense! Use a unique, complex password for every single online account. A password manager can be a lifesaver for storing and generating strong passwords.

2. Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of protection by requiring a code sent to your phone or generated by an app, in addition to your password. Ideally rather than just a temporary SMS code, opt for a biometric factor such as a fingerprint scan, as this is far more secure than an SMS which is open to other attack vectors.

3. Monitor for Data Breaches: Services like “Have I Been Pwned?”(https://haveibeenpwned.com/) allow you to check if your email has appeared in known breaches. Change your passwords immediately if you find yourself affected. Additionally, your security software such as Nord, Trend Micro, Norton360 will have a feature to check for breached data.

4. For Businesses: Invest in Robust Defences: Consider implementing security solutions tailored to detect and stop credential stuffing, such as:

   • Bot detection and mitigation technologies

   • IP reputation monitoring

   • Rate limiting (restricting the number of login attempts)

   • Enforcing strict password and MFA policies

Stay Vigilant

Credential stuffing exploits common bad habits like password reuse. By prioritizing unique passwords and taking advantage of the security measures available, you significantly strengthen your defences. Remember, cybersecurity is an ongoing process – stay informed, and don't hesitate to consult with cyber security professionals like us to ensure your online accounts and sensitive data remain protected.

Let us help you!

Local Defence Brisbane specializes in helping businesses and individuals mitigate cyber threats. Contact us for a security assessment and guidance on implementing the best defences against credential stuffing and other attacks.

References:

Google/Harris Online Security Survey 2019

Spycloud Annual Identity Exposure Report 2024

Mueller, N 2021, Credential Stuffing, OWASP, <https://owasp.org/www-community/attacks/Credential_stuffing>.