Credential stuffing is a cyberattack where user credentials are typically attained through stolen data or from a data breach. These credentials are then used to log in to other accounts.
For example, an attacker gained access to your Facebook login information and then uses those credentials to access your other online accounts such as Snapchat, Twitter, LinkedIn, etc.
Over the last few years, credential stuffing has been on the rise. This is because data breaches have become common and expose hundreds of millions of user credentials annually. The compromised credentials are always high in demand, which is why they are traded and sold on the black market.
While there are other forms of cyberattacks that have a better ratio of success, credential stuffing isn’t as effective as it seems. Statistically, credential stuffing attacks do not have a high chance of success.
If an attacker attempts to crack a thousand accounts, the success ratio is only 0.1%. This means that out of a thousand accounts, they will succeed only once. However, hackers don’t buy a thousand accounts. They buy millions or billions of credentials, so their success ratio is much higher.
At the same time, modern-day bots have never been more effective than they are today. With a single bot being able to work on hundreds of thousands of accounts, it only takes a few seconds or mere minutes to gain access to an account.
During an attack, the only signal a victimized company might get is an increase in their overall volume of login attempts. This might not even raise alarms since bots use multiple IP addresses to execute this attack, which doesn’t raise any suspicions as bot behavior often mimics human behavior and thus looks natural.
What makes credential stuffing attacks effective is that humans often prefer to remember their passwords, and therefore, they use the same password on multiple platforms.
Internet users maintain dozens of online accounts, and as such, each user should use a unique password for each service. Now, remembering multiple passwords can be a challenge, which is why there are password managers that make your life easier, such as Dashlane and 1Password. The way this work is that you have one password you must remember to unlock a “vault” and then once you log in, their plugins (compatible with both your phones and computers) will log in for you. Also, you can use two-factor authentication.
Companies play a significant role in preventing credential stuffing or any other form of cyberattack. While this may seem like an easy thing to do, it’s much more complicated for companies that employ authentication services.
While a company can advise its users to choose unique passwords, it cannot impose this as a rule. However, companies can habitually remind their users maybe once a month to update their password; some companies go as far as forcing the update in a regularly-scheduled interval. If a user does not update their password, measures can be put in place where after a few days, a user will eventually have to choose a new password.
At the same time, features like two-factor authentication have proven to be effective. With 2FA in place, a code will be sent to the user (or a push will be made via an app) if an unauthenticated login attempt is being taken place.
The most effective defense against credential stuffing is a bot management service. These ethical bots use an IP reputation database to filter out malicious bots from attempting to make login attempts without stopping legitimate logins.