What Is Credential Stuffing?
November 13, 2020 | Cyberattack, Cyber Security
Credential stuffing relies primarily on the reuse of the same usernames or account IDs across different online services.
It is one of the most common practices among cybercriminals. The hackers use previously acquired credentials from other 3rd party data breaches and run it against millions of other accounts and portals.
For Example: If you use the same email address and password for different accounts regardless of if they are mobile apps like Uber, TikTok, Amazon or online applications like Evite, SurveyMonkey or others. Suppose any of these portals were to be breached at any point. In that case, the hackers acquire your credential and run it against other digital applications.
If you use the same credentials for more than one application, your vulnerability increases substantially for credential stuffing cyberattacks.
How Does Credential Stuffing Work?
Let’s understand credential stuffing in the world of Tom.
Recycle Login Credentials
Tom uses the same email address and password for his work email, amazon account, banking, and CRA account.
Credential Compromised But Not Exploited Yet
Hypothetically, if amazon gets hacked, Tom’s username and password for all the five portals are compromised.
Compromised Credential Sold On The Dark Web
The stolen login credentials are sold on the dark web for other hackers to further use the stolen credential. Usually, the credentials are sold to a larger group of hackers.
Compromised Credential Bought By Multiple Sophisticated Hackers
Numerous fraudsters have access to Tom’s stolen information.
Hacker Successful At Using Compromised Credential On A Different Portal
Finally, multiple hackers are trying Tom’s stolen credentials on numerous other sites. When the login is successful, Tom becomes a victim of credential stuffing cyberattack where more than on of Tom's digital account is compromised.
How To Fight Credential Stuffing Cyberattack?
There are two things you can do to fight credential stuffing cyberattack.
Use Unique passwords
The best way to protect yourself against credential stuffing is to develop a unique password for each of your digital accounts – online and mobile apps. Sensitive accounts like your bank account, work email account, main personal account, and CRA account should always have complex and never used before passwords. You must change these passwords every 90 days.
Use Multi-Factor Authentication (MFA)
Multi-factor authentication adds another layer of security to your credentials. Activate multi-factor authentication wherever possible. Here is a quick guide on how to activate MFAs for your favourite apps.