What is a credential stuffing attack?

A credential stuffing attack is one of the most effective ways to control accounts. Here’s how it works and what you should do to protect your company.

Millions of accounts fall victim to credential stuffing attacks every year. This practice has become so widespread that in 2022, one authentication provider reported an average of one credential fill attempt for every two legitimate account logins. And it is unlikely that the situation has improved in the last two years. In this post, we’ll discuss in detail how credential stuffing works, what data attackers use, and how you can protect your organization’s resources from such attacks.

How credential stuffing attacks work

Credential stuffing is one of the most effective ways to compromise user accounts. Attackers take advantage of the vast database of usernames and passwords already obtained for accounts registered on various platforms. They then test these credentials extensively on other online services, hoping something works.

This attack suffers from the unfortunate habit of many people using the same password for multiple services – sometimes relying on the same password for everything. As a result, attackers are inevitably able to hijack accounts with passwords that victims have used on other platforms.

Where do these databases come from? There are three main sources:

Passwords stolen by massive phishing campaigns and phishing sites.
Passwords intercepted by malware are specifically designed to steal credentials – called stealers.
Passwords were leaked through breaches of online services.

Protecting against credential stuffing attacks

To protect your organization’s resources from credential stuffing attacks, we recommend implementing the following security measures:

Educate your employees on cybersecurity best practices, emphasizing the dangers of password reuse.
Develop and enforce a sensible password policy.
Encourage the use of password managers to create and store strong and unique character combinations. The application will also monitor for data breaches and recommend a password change if it is already in a known database.
Finally, mandate the use of two-factor authentication wherever possible. This is the most effective way to protect against not only credential stuffing but also other account takeover attacks.

Also, apply the principle of least privilege to reduce the impact of already successful credential stuffing attacks and of course use trusted protection on all corporate devices.

Leave a Comment