If you haven't already heard of credential stuffing, you probably will soon – it's becoming more and more of a threat to consumers and businesses alike. Credential stuffing is a devastating type of cyberattack that can be used to hijack accounts and steal personal information, and it's all done via automated web injections.
However, while credential stuffing has some serious consequences and can seem tough to tackle, there are a few simple things you can do to ensure all of your accounts remain secure. Read on to find out!
Credential stuffing definition
Credential stuffing happens when a cybercriminal obtains a list of credentials, like email address and password combinations, from a data breach or via the dark web. They'll then use these stolen credentials to try to access accounts on other sites or apps through a massive process that automates the login attempts.
During this process, the credentials will be entered into various sites (or "stuffed" into them), in the hopes that the victims of the data breach have used the same email address and password to create other accounts across the web.
Obviously, that's a pretty frightening prospect. If a company suffers a data leak that your credentials are, unfortunately, a part of, an opportunistic cybercriminal could launch a credential stuffing attack and gain access to the bank account that you've secured with the same email address and password combination!
You may be imagining a cybercriminal hunched over a computer constantly copying and pasting your password into all those sites. But no, that's not actually how they do it; they use pretty standard automation tools to do it for them. These tools are effective, though, and they're only getting more and more sophisticated. It's now possible for cybercriminals to mask their stuffing attacks by making it seem as though all the login attempts are coming from different IP addresses and devices – this conceals the fact that there's actually one mastermind behind the requests, and makes them indistinguishable from the regular, legitimate, login traffic.
What's the difference between brute force and credential stuffing attacks?
Brute force and credential stuffing attacks are often spoken of within the same context, and they do have some similarities… but they're separate processes. A brute force attack will try to guess your password the hard way, without any clues, by using random sequences of characters and numbers or working from a list of frequently used phrases. These attacks can be deterred by CAPTCHAs and limited login attempts.
Credential stuffing, on the other hand, is harder to combat because the cybercriminal already knows your password.
Credential stuffing consequences
So, if the aim of a credential stuffing attack is to gain access to consumer or business accounts via automated (and fraudulent) login attempts, what happens if it succeeds?
It'll largely depend on the cybercriminal's own goals and motivations, but we often see the following things happen during credential stuffing attacks:
- Identity theft - armed with your password and email, a cybercriminal could pretend to be you and use your account however they please. They might gain access to an e-commerce store where they can buy themselves all kinds of things with your money and your financial details. They'll most likely resell these products, too, so it's massively lucrative for the identity thief. Alternatively, a cybercriminal with access to your social media accounts could impersonate and slander you, causing significant distress, particularly if they've breached a professional account, like LinkedIn. Check our guide on how to protect yourself against identity theft.
- Data swiping - once a cybercriminal is in your account, they'll likely have access to other personal information belonging to you, like addresses, financial details, phone numbers. This is all useful, and a cybercriminal can often monetize these findings or incorporate them into future phishing scams. It's also not unusual to see these thieves sell access to subscription-based sites like Netflix and Spotify for a discounted price. They'll have hijacked the account they're renting out during a credential stuffing attack, of course, so it's never worth the risk.
- Bad business - we've talked about how credential stuffing attacks can affect the individual, but they can be just as devastating to businesses and corporations. A successful attack that grants access to a corporate account of an employee can lead to chaos. The cybercriminal can sift through confidential data and personal details, which they could then sell, and make a profit doing it, or used to blackmail the company.
Credential stuffing attacks aren't always successful, however. It's estimated that their success rates are relatively low, in fact, but what makes them dangerous is the ease by which they can be launched, and the devastation they can cause if a cybercriminal does get into other accounts.
For consumers, their identities can be stolen and their data sold on to other shady characters, and businesses stand to lose masses of money – they could lose customers, suffer downtime, and end up paying for expensive security solutions to deter future attacks. In recent years, the customers of big names like Sony, Dropbox , OkCupid, and Dunkin' Donuts have been impacted by credential stuffing attacks.
How does credential stuffing happen?
If you're interested in learning about the steps a cybercriminal takes to launch and complete a credential stuffing attack, we've detailed them below:
- First, the cybercriminal has to acquire the credentials they'll use to conduct the attack. These often come from data breaches, but can also be purchased from the dark web or taken from password dump sites.
- They'll also need a bot that can automate the login process as well as spoof IP addresses to fool the sites into thinking it's a regular request.
- Then, the attack begins in earnest. The bot will run a check to see whether any of the password and email combinations can access additional accounts, and will check all sorts of sites – social media, banking and finance services, and e-commerce shops, for example.
- If the bot finds a match, they'll be able to log in and hijack the account and all its data and personal details.
- The cybercriminal can then reap these details, like addresses, contact information, and potentially credit card and social security numbers, to do with as they please. This could lead to additional attacks, like phishing scams, or lucrative transactions where the cybercriminal sells the information, or makes purchases for themselves using someone else's money.
How to prevent credential stuffing
Credential stuffing attacks are bad news for pretty much everyone. Luckily, they have one major weakness – they can be prevented by simply changing up your passwords.
This might seem overly obvious, and you might wonder why such a common, dangerous cyberattack can be thwarted by such a straightforward measure, but we're all too fond of using the same password and email combination for just about every site we use and account we make.
This is a massive security risk, of course, but it continues to happen. Some people feel overwhelmed by the prospect of keeping track of dozens of individual passwords and reluctant to invest in top password managers.
But a strong, unique password for each of your accounts is a great way to prevent successful credential stuffing attacks. If your details are leaked and acquired by a cybercriminal, if you've got different passwords for different sites, they simply won't be able to hijack any of your other accounts because the passwords won't match!
Creating a secure password is pretty easy, too, and a lot of password managers will actually generate passwords for you with a click. Just be sure to include numbers and characters, non-dictionary terms, and nothing obvious, like a pet's name or a "clever" variation of the word password. "P@55w0rd" just won't cut it!
Additionally, we'd always suggest using two-factor authentication whenever you can. Some sites offer it, some don't, but it's an incredibly effective and simple way of securing your accounts. 2FA essentially requires you to provide extra evidence of your identity before you're given access to the site or app – you might be asked to confirm your identity via a companion app or input a single-use code that's been texted to you, for example. So, even if a credential stuffing cybercriminal had your password and email, they'd be unable to access an account secured by 2FA.
Final thoughts
Credential stuffing is a deceptively simple cyberattack that counts on users sticking to the same email address and password whenever they create an account. The results of credential stuffing can be massively impactful and hard to recover from, and it's a sophisticated process that takes advantage of data breaches, a growing wealth of credentials for sale on the dark web, and ever-improving automated processes.
We'll likely hear more about credential stuffing in the years to come, so long as people reuse details, but a strong, individual password is really all it takes to ensure that you're never affected by this particular cyberattack.