Although it’s been around since at least 2014, credential stuffing is hitting the headlines increasingly more frequently these days. A variation of a brute force attack, this cyber-threat is often financially motivated, although it can also form part of bigger hacks, scams or phishing attacks.
So, what exactly is credential stuffing, why is it becoming more common and how can you protect yourself, your employees and your business against it?
Credential stuffing relies on perseverance. It’s a type of brute force attack, but rather than trying to guess usernames and passwords to gain access into an account, stolen credentials are used. In the world of cybercriminals, credentials are currency – lists of credentials are traded on the black market. When one data breach occurs, another isn’t far behind.
Once attackers get their hands on a set of breached credentials, they can use the list of known usernames, email addresses and passwords to attempt to log into other online accounts or services. By using web automation tools it’s possible to attempt to log into accounts using very large volumes of exposed credentials. It’s a numbers game, but it’s uncomplicated and an easy route, even for a novice hacker.
Once they gain access to your account, cybercriminals can cause any amount of havoc. Whether it’s your bank account, social media or your business’ CMS, there’s profit to be made. Often, credential stuffing will gain hackers access to a system that allows them to cause a further data breach, perpetuating the problem and explaining the prolific nature of this type of attack.
Whether records are exposed by a hack or accidental leak, credential stuffing is only a viable attack vector because so many of us fail to exercise password best practice. This method of attack relies wholly on people using the same login credentials across multiple accounts. Hackers assume that your email address and password for one account can be used to log in somewhere else and, with the help of bots, they can quickly and easily scan the web to try their luck.
And they’re not wrong – 65% of people use the same password across multiple or all accounts. Combined with the fact that almost 40% of people never update their passwords, it’s unsurprising that credential stuffing is on the rise.
According to Verizon’s 2020 Data Breach Investigations Report 37% of all breaches last year either used, or stole, credentials. Brute force attacks in general, including credential stuffing, are becoming more popular amongst cybercriminals, accounting for 80% of all hacks. And, when it comes to the cloud, 77% of breaches involve breached credentials.
The success of credential stuffing relies on hackers being able to get hold of extensive lists of user data – but this is more readily available than you may realise. In 2019, 2.2 billion leaked records referred to as Collection #1-5 became one of the biggest ever collections of breached data. These found their way onto the black market and were passed around from hacker to hacker. It’s impossible to know how many subsequent data breaches may have been caused by a successful hack from this credential list.
The problem stretches further than our own personal accounts, however. 73% of people use the same passwords across personal and work accounts, meaning your business could be at risk as a result of an oversight on the part of your employees. Imagine the damage that could be done if a hacker is able to access a privileged user account on your databases, CMS or other systems.
The best form of defence is to make sure you choose strong passwords, update your passwords regularly and, most importantly, use a unique password for each of your accounts. Ensure your employees understand the importance of keeping their business accounts secure with regular staff training.
In 2020 businesses have faced an unprecedented volume of increasingly sophisticated cyber-attacks. Step up your security with Threat Vision from UKFast, robust, intelligent threat detection and response.