Have you ever heard of credential stuffing? If not, it’s understandable: with so many different threats to online security, it’s hard to keep track of the latest techniques used by cybercriminals to get hold of your confidential data.
Because credential stuffing is becoming increasingly popular, in this post we’ll take a look at it more closely, and we’ll give you a few tips on what you can do to protect yourself from it.
The term credential stuffing started making the headlines in recent years following a series of major data breaches that that revealed the login credentials of a staggering numbers of users. For example, in two separate attacks, the details of a combined 1.5 billion Yahoo! users were compromised in 2016 (yep, that’d be about 20% of the Earth’s population).
Credential stuffing happens when cybercriminals get hold of lists of user credentials and corresponding passwords that have been leaked in previous cyberattacks (such as those that were part of the Yahoo! breach).
When a breach occurs, the lists of compromised accounts are often made available on some less-than-reputable areas of the internet, like the dark web, either for free or for a fee. Once criminals have their hands on the information they can use it to organize a credential stuffing attack.
Using either an automatic script that they’ve written, or ready-made software that they’ve bought off the shelf, the criminals employ a botnet of infected computers under their control to try to automatically log into all accounts for which they have the credentials.
Each attempt looks legitimate because they are using genuine credentials that might still be valid. Typically only about 0.1-0.2% of the total login attempts are successful, but if the list of stolen credentials is large enough, this can still amount to thousands of matching accounts.
Once attackers have access to these accounts, they drain them of anything they find valuable, such as gift vouchers, credit card numbers, and other private information that they can also use for other nefarious activities (spamming, identity theft… you name it!
The threat from credential stuffing is amplified by the fact that most times, an email and password is everything they need to log into someone’s account. And if, like many people, you use the same password for multiple accounts, you’re leaving yourself especially vulnerable to this kind of attack if your credentials are leaked.
Successful credential stuffing attacks can make multiple victims: the users who got their data stolen, but also the companies or websites that have to deal with sudden mass login attempts. During a credential stuffing attack, the number of attempted logins can increase dramatically, to the point of outnumbering the number of legit attempts from real customers.
Because the company’s computer systems are often not equipped for dealing with such a high volume of logins, genuine users may find that they can’t access their accounts, or that the website is unresponsive.
How can you protect yourself from credential stuffing?
Companies can protect against credential stuffing by regularly reviewing their security procedures and applying measures at a system level, such as blacklisting IP addresses and analyzing browser information for discrepancies in logins.
As an individual, the precautions you can adopt to avoid falling victim to this type of cyberattacks are much simpler. These measures will only take you a few minutes and are part of any good computer security routine and, as a bonus, they don’t just protect you against credential stuffing, but other security risks, too!
1) Use a unique password for every account
The first and most important step you can take to keep your accounts secure is pretty basic: do not reuse your passwords. If each of your passwords is unique and details of one account are revealed, hackers won’t be able to use credential stuffing on your other accounts.
The reason why most people don’t bother making up a new password every time they create an account is because they have too many to remember them all (and given that the average user has 23 personal password-protected accounts to keep up with, it would be a rather difficult feat).
If you also struggle with managing so many accounts, instead of reusing your password you should get a password manager that will help you create random, unique passwords and store your credentials. Because password management software can be accessed with one "master" password, that is all you will need to remember to unlock the credentials store in the database. Just make sure it’s something more complex than the name of your family pet.
2) Make sure you haven’t been hacked before
To check whether your email address has been compromised in a data breach, you can use the website haveibeenpwned.com. It’s a great resource that keeps a regularly updated record of data breaches around the world and can tell you if your accounts have been compromised.
If you register on the website, they will also send you an email as soon as you become victim of a cyberattack, so you can change the relevant passwords to protect yourself.
3) Use multi-factor authentication
If a software or a website give you the chance of securing your account by enabling multi-factor authentication (MFA), take it!
With MFA, if you want to log in to your account you’ll need not just your username and password, but you also at least one other piece of information, such as a code sent to your phone. This way, even if your user details and password are compromised, any attacker would still not be able to access your account because they haven’t got your other credentials.
4) Delete your old accounts
Remember the Yahoo! data breach we mentioned earlier in this post? Chances are that if you heard of it in the news, you also remembered that as some point you did have an account with them that you haven’t used in ages. This is a perfect example of why you should always deactivate any account you are no longer using.
The more accounts you have open, the more you are exposed to risks, especially if your password-creation approach has been - how shall we put it? - neglectful.
While it may be difficult to recall all the accounts you have opened over the years, there are some tools out there to help you. The most useful is perhaps a website called Deseat.me. if you register using your Google credentials, you will be shown a list of all your accounts, so you can choose to delete the ones that are active or obsolete with just a couple of clicks.
A combination of these measures should go a long way to protect you from falling victim to a credential stuffing attack, or at least limiting the damage if you happen to be unlucky.
Cybercriminals are always looking for new ways to breach your security and are becoming increasingly inventive and sneaky.
If you’re concerned about credential stuffing, or any other cybersecurity threat, check out these articles for more ideas about how to avoid becoming a victim of hackers and how to avoid cybersecurity fatigue.