With time, Credential Stuffing has gained a lot of popularity and has been the root cause behind 2.8 billion bot attacks since 2018. This means around 115 million login attempts are happening every single day to carry out destructive attacks like Credential Stuffing.
Security experts have always advocated the use of strong and complex passwords. Credential stuffing is one of the reasons behind it. It can result in security issues and can put you in unwanted situations.
What is Credential Stuffing?
Coming from the family of Brute Force attacks, Credential stuffing involves the automated use of login credentials/passwords gathered from millions of users. A great amount of user data along with a bottomless ocean of login credentials gets leaked every year from corporate data breaches and exploits.
This data is used by cybercriminals to conduct a Credential stuffing attack. They use username and passwords to stuff the details in an account login page (generally the “My Account” page on any financial or banking site) to crack the correct login details and use them for illegal activities.
Let’s take an example for a better understanding.
Let’s consider that your name is Peter Mathews and you use your internet banking account to login to your favorite online shopping account. The account details including the username and the password are the same for both the accounts
Username: Peterm
Password: Pet0erM0
Now imagine that the shopping website suffered a data breach and your login details are placed on the dark web for sale. Now, cybercriminals can use your login details on other websites using a brute force attack. Even though the hackers are not aware of which bank you are using, they will be able to find a match eventually.
Recent Example of A Credential Stuffing Attack
Here are some of the most popular attacks for you.
- In 2019, Australian Federal Police arrested a man from Sydney on the charge of stealing and selling account details of around 1 million users of Hulu, Netflix, and Spotify.
- A similar attack was also suffered by State Farm, in 2019. A hacker was able to collect the usernames and passwords of the customer accounts of this US-based insurance giant.
How To Prevent A Credential Stuffing Attack?
There is no denial that preventing such attacks is next to impossible but there are few tips that you can follow to mitigate them in the best possible way.
- Use Multi-Factor Authentication: 2 Factor Authentication is essential for a multi-layer protection. Gone are the days when keeping a password was enough to safeguard your account from hacking, now you need a robust encryption mechanism to protect your accounts and verify your identity.
- Block Bots: You can use Captcha and reCaptcha to protect your accounts against basic attacks. It offers a simple yet effective way to differentiate between bots and real users.
- Avoid using similar email addresses and Users.
- If possible use a passwordless way to secure your accounts. A lot of banks have started offering fingerprint password options.
- Use strong and complex passwords that are difficult to crack. As per security experts, a strong password should be of minimum 8 characters, should include alphanumeric characters and numbers, and should never resemble your key personal details like Name, DOB (date of birth), etc.
Credential Stuffing is gaining worldwide popularity for obvious reasons. Stay informed and protect yourself from being a victim.