Last updated on March 26, 2024
What is credential stuffing and how to stop it? Credential stuffing is a type of cyberattack in which attackers use stolen usernames and passwords from one website to try to log in to other websites. This attack relies on the fact that many people reuse the same passwords across multiple online accounts. Credential stuffing can result in account takeover, identity theft, fraud, and other damages.
In this article, you will learn:
- How does credential stuffing work
- What are the impacts and risks of credential stuffing
- How to prevent credential stuffing attacks
- How to detect and respond to credential stuffing attacks
How Does Credential Stuffing Work
Credential stuffing works by using automated tools or bots to test large numbers of stolen credentials against various websites. The attackers obtain these credentials from data breaches, phishing campaigns, password dump sites, or other sources. The attackers then use these credentials to try to access accounts on different websites, such as social media platforms, online marketplaces, or web applications.
If the login attempt is successful, the attacker gains access to the user’s account. The attacker can then perform malicious actions with the account, such as:
- Stealing personal or financial information
- Making fraudulent purchases or transactions
- Sending spam or phishing messages
- Selling or sharing the valid credentials with other attackers
Credential Stuffing vs. Brute Force Attacks
Credential stuffing is a specific type of brute force attack that uses known, valid credentials that have been previously exposed or compromised. Unlike traditional brute force attacks that attempt to guess passwords through random combinations, credential stuffing attacks involve automated logging into accounts using username/password pairs that have previously leaked.
Credential Stuffing vs. Password Spraying
Credential stuffing is also different from password spraying. Password spraying tries to log in to multiple accounts using a common password (such as “123456” or “password”). In contrast, credential stuffing uses credentials that are known to be valid for some accounts, rather than randomly guessing passwords.
What Are the Impacts and Risks of Credential Stuffing
Credential stuffing can have serious impacts and risks for both users and organizations. For users, credential stuffing can lead to:
- Loss of privacy and security
- Identity theft and fraud
- Financial losses and damages
- Reputation harm and legal issues
For organizations, credential stuffing can lead to:
- Loss of customer trust and loyalty
- Damage to brand reputation and image
- Legal liabilities and compliance violations
- Increased operational costs and resources
Credential stuffing can also affect the performance and availability of websites and applications, as the large volume of login attempts can overload the servers and cause slowdowns or crashes.
According to some estimates, credential stuffing accounts for up to 80% of all login attempts on some websites. Credential stuffing also costs businesses billions of dollars every year in losses and damages.
Examples of Credential Stuffing Attacks
- In 2016, hackers used credential stuffing to access over 500 million Yahoo accounts and steal personal information
- In 2018, hackers used credential stuffing to access over 100 million Quora accounts and steal user data
- In 2019, hackers used credential stuffing to access over 4 million DoorDash accounts and steal customer information
- In 2020, hackers used credential stuffing to access over 300,000 Spotify accounts and stream music without permission
- In 2022, hackers used credential stuffing to compromise roughly 200,000 North Face accounts
- In 2022, hackers used credential stuffing to access over 1.1 million accounts of various online retail, food, and delivery businesses in New York
How to Detect Credential Stuffing Attacks
Before you can stop it, you have to detect the credential stuffing attack. Some signs that indicate a possible credential stuffing attack include:
- Receiving unexpected login alerts or notifications from websites or apps
- Seeing unusual activity or changes in your online accounts (such as purchases, messages, or settings)
- Receiving emails or messages from websites or apps asking you to reset your password or verify your identity
- Experiencing slow or interrupted access to websites or apps due to high traffic
I Was a Victim of a Credential Stuffing Attack: What to Do?
If you suspect you are a victim of a credential stuffing attack, you should:
- Change your password immediately for the affected account and any other account that uses the same password
- Enable Multi-Factor Authentication (MFA) for the affected account and any other account that supports it
- Investigate the source and scope of the attack and take appropriate actions (such as notifying authorities, disclosing breaches, etc.)
- Check your account activity and transactions for any unauthorized or suspicious actions
- Contact the website or app support team and report the incident
- Monitor your credit reports and bank statements for any signs of identity theft or fraud
How to Prevent Credential Stuffing Attacks
If you are an organization that operates a website or app that is vulnerable to credential stuffing attacks, you should do the following to stop credential stuffing attacks:
- Enable company-wide Multi-Factor Authentication (MFA) for all users
- Encourage the use of random and unique passwords for each online account. This way, even if one account is compromised, the other accounts will remain safe
- Use a password manager. It can be very helpful in managing multiple complex passwords. Password managers not only help in storing passwords but can also generate strong, random passwords, further enhancing the security of online accounts
- Implement security measures such as CAPTCHA, rate limiting, IP blocking, device fingerprinting, etc. to prevent automated login attempts
- Monitor your login traffic and analytics for any spikes or anomalies that indicate a possible attack
- Review your security policies and practices regularly and update them as needed
How Multi-Factor Authentication (MFA) Stops Credential Stuffing
The best way to prevent credential stuffing attacks is to use Multi-Factor Authentication (MFA) for each online account. MFA adds an extra layer of security by requiring another piece of information (such as a code sent via text message or email) in addition to the password. This way, even if an attacker has the password, they will not be able to log in without the second factor.
Some tips for using MFA include:
- Choose a reliable and secure MFA provider or app like Rublon MFA
- Enable MFA for all services and accounts that support it
- Use different MFA methods for different accounts (such as Mobile Push for VPNs and FIDO security key for Remote Desktop (RDP) connections)
- Keep your software updated across all devices. This includes your operating system, browsers, email clients, and more
How Rublon MFA Helps Stop Credential Stuffing Attacks
To protect your online accounts from credential stuffing attacks, you need a strong and reliable solution like Rublon MFA. Rublon MFA is a Multi-Factor Authentication (MFA) solution that adds an extra layer of security to your logins. It requires you to provide at least two proofs of identity, such as a password and a Mobile Push notification, to verify your identity. Rublon MFA works with various technologies, such as cloud apps, VPNs, servers, and Microsoft technologies. It also supports different authentication methods, such as SMS Passcode, QR Code, FIDO Security Key, and more. With Rublon MFA, you can prevent hackers from accessing your accounts even if they have your passwords. Rublon MFA is easy to use, affordable, and compliant with the latest security standards.
Try Rublon MFA for free today and see how it can help you against credential stuffing attacks:
Conclusion
Credential stuffing is a common and dangerous cyberattack that can compromise your online accounts and data. To protect yourself from credential stuffing attacks, you should use strong and unique passwords for each online account, enable MFA whenever possible, watch out for any signs of an attack, and act quickly if you are affected. By following the tips in this article, you can reduce your risk of becoming a victim of credential stuffing attacks. You can also enjoy a safer and more secure online experience.