What Is a Credential Stuffing Attack and How to Protect Yourself from One

[harlan4096]

You probably heard of at least one credential stuffing attack lately, as major companies become targets of this new hacking technique. Credential stuffing is not actually new as part of hackers’ repertoire, but lately, the method started being employed more often. I’ll explain the reasons for this surge in popularity down below.

Did you notice those news stories when users are reporting their accounts being hacked, but the companies hosting those accounts insist that nothing is wrong? In all of these cases when companies seem to be unaware of the data breach, the culprit is most likely a credential stuffing attack. If hackers are mimicking the users’ identities, it’s hard for the system admins to notice the attack until it’s too late.

Since many of you emailed us inquiring about credential stuffing, we’ve put together this protection guide on everything you need to know about these attacks and how to better secure your sensitive data.

Read below more details on this cyber attack and apply our actionable security measures that will help you avoid becoming an easy target for cybercriminals.

What Is Credential Stuffing?

In every major data breach, when hackers successfully break into the systems of a major company, they gain access to a database of user and password combinations. Some of these login credentials are then published for the entire world to see, like in the RockYou data breach of 2009, which published over 30 million records for the world to see.

Other times, these sensitive data (the credentials for logging in) are obtained not by breaking into a company’s systems, but through phishing attacks. Regardless of how exactly the data is obtained, credential stuffing refers to the hacker’s attempts of taking the accounts and passwords already exposed and trying to use them in order to login onto other websites.

The act of attempting to log in with such a large number of stolen credentials against other websites is best described as trying to stuff them everywhere, hence the name of this hacking technique.

The attackers’ premise turns out to be correct: Internet users continue to (re)use the same passwords for multiple accounts over and over, and they don’t develop strong password hygiene. This makes it easier for malicious actors to gain unauthorized access to important accounts after cracking open a less important one (like a loyalty program for yogurt or something equally nonconsequential). In the end, like in most other hacking attacks, the attackers can steal your money or your identity.

Since the last months of 2018, credential stuffing attacks made the headlines time and time again. The first months of 2019 showed no halt to the spread of these cyber threats.

On one hand, the tools which hackers need for this kind of attacks have become better and cheaper to use. On the other hand, conducting other kinds of attacks has become more labor-intensive and costly for hackers. 

Continue Reading