Data breaches have been happening for so long, and at such a frequent rate lately, that people are almost tired of hearing about them. Yet breach fatigue aside, few realize the colossal impact that stolen credentials have.
It’s easy to buy stolen login details on the dark web. Your credentials may be out there, without you even knowing about it. After all, according to Google, breached credentials appear in over 1.5% of logins on the web.
Credential stuffing is what happens when a hacker uses stolen login credentials to try and log into other accounts. It’s one of the main ways that hackers use stolen passwords, and it’s a low-risk and high-reward effort.
Unfortunately, people don’t always recognize it for what it is. They blame companies for not protecting their systems enough. But a lot of the time, though, it’s not the organization’s fault. The real offender is a reused password that’s been compromised in a previous breach.
Learn more about how credential stuffing works, and what you can do to tackle this growing problem.
The Massive Stuffing Problem
Massive corporate mega-breaches have turned credential stuffing into a severe threat. The problem has existed for some years now. The infamous data breaches, such as the MySpace hack, fueled the credential stuffing attacks. But the threat has grown even more these last few years. The increase in mega-breaches aggregated credential collections.
These collections consist of details stolen from different data breaches. The largest one so far is known as Collection #1 – #5. These five lists contain around 2.2 billion stolen unique credentials. To put that into perspective, only about 4.48 billion people are using the internet.
How Credential Stuffing Works
Credential stuffing is a profitable venture for hackers. There are hundreds of malicious tools that help to get the job done. This type of attack uses a brute-force technique because it takes many tries to get into different accounts. But it’s much more successful than trying to guess passwords as usual brute-force attacks do. After all, the attacker already has a list of user’s passwords.
The goal is to take those credentials and test them on as many other websites and platforms as possible. They base it on the hope that people have reused their passwords. Of course, hackers use automated tools to do it. They aren’t typing them manually one by one. It would take forever to make use of those massive lists.
The part of the credential stuffing attack is to get the login requests to blend in with all the noise created by legitimate login requests. It is necessary because websites have built-in detection tools to help them identify these types of attacks.
So hackers find ways around that. For instance, credential stuffing attacks use proxy websites. They make it look like the login requests are coming from many different places. That way, it doesn’t arise suspicion when a single IP is trying various login attempts. These campaigns also find ways to change other login properties. So it looks like the attempts are coming from different browsers and devices.
Once the hacker does get access to any accounts, they figure out how to profit off of them. It can involve stealing more personal information, using the account for money laundering, or stealing credit card details.
Getting Stuff Secure Again
Securing online accounts still comes down to having a robust and safe password. And using a unique password for every account continues to be everyone’s best defense against credential stuffing.
Remembering a long list of unique passwords is a challenge for most people, though. If that is a problem, then using a password manager can come in handy. Choosing one that uses secure encryption methods, such as XChaCha20 encryption, is your best bet.
Another password security must-have is two-factor authentication (2FA). You can set 2FA on most online accounts and apps these days. Some apps also enable it on accounts that don’t have 2FA by default. It can help keep your accounts safe, even if your login details have been compromised.
Other than those two things, it’s essential never to share a password with anyone or write it down anywhere.
The rest of it is up to companies. They need to up their security to prevent data breaches from happening in the first place. It is the only way that credential stuffing can become useless in the long run — other than everyone not reusing passwords, of course.
Credential stuffing is a huge problem for the online community, and only the whole community effort can solve it. The key lies in creating awareness around this popular attack method and what people can do to keep themselves safe.