#Article

Credential Stuffing: What it is and How to Fight it


Credential Stuffing: What it is and How to Fight it

Even if your company hasn’t been breached, failing to protect customers against fraudulent logins through credential stuffing may drive them away.

What happens when customers insist that their accounts have been compromised, but you know you haven't experienced a data breach?

Blame credential stuffing. In this type of fraud scheme, hackers purchase stolen login credentials, then use them to access accounts across multiple online services.

Case management software can help you respond faster and investigate more effectively when you're hit with cyber attacks. Find out more in our free eBook.

What is Credential Stuffing?

In a nutshell, credential stuffing occurs when a hacker uses large lists of usernames and passwords stolen from one source to gain access to accounts on other sites. Because many internet users repeat login credentials across multiple websites, this is a low-risk, high-reward scheme for fraudsters.

Where do Hackers Get the Credentials?

Fraudsters purchase lists of millions of known login credentials obtained by breaching a (usually low-profile) website. Alternately, they may obtain the list of logins through a phishing scheme. They then use those credentials to attempt to access online services that hold more sensitive information, such as banking and social media.

Unfortunately, it's not just recent data breaches you have to worry about. Because many people don't change their password often, hackers can use older lists of known credentials. In addition, password reuse means criminals can use the same credentials to take over accounts on multiple websites.

RELATED: 11 Expert Tips for Data Breach Prevention in 2020

How is an Attack Carried Out?

Because they're working with millions of credentials, fraudsters don't have time to manually enter them all into multiple websites. Instead, they use automated credential stuffing tools.

These tools use proxies to make the login attempts appear to come from various IP addresses and browsers. They're designed to look and act like real users, making credential stuffing difficult to detect.

Download our data theft prevention checklist to make sure you're taking the necessary steps to protect your organization's sensitive information.

How to Protect Your Company from Credential Stuffing

According to Akamai's State of the Internet report, "credential stuffing isn't going anywhere," so companies should "make the process of obtaining credentials as difficult as possible." To do so, take the following measures:

  • Use mandatory multi-factor identification for login. If that's too disruptive, allow users to opt in and turn it on manually for users that exhibit risk factors of fraud.
  • Check if emails associated with accounts on your site were breached. If so, require those users to reset their passwords.
  • Check if any employees' work emails were compromised by setting an alert for your company's domain name on Have I Been Pwned.
  • Encourage employees and customers to practice good password hygiene (e.g. change passwords often, vary passwords across websites, use strong passwords), including using password managers.
  • Track logins, then block IP addresses where fraudulent logins originate.
  • If your users are located primarily in one location, set geofences to block proxy traffic that comes from other regions.

RELATED: How to Report a Data Breach: 5 Critical Steps

Taking steps to recognize fraudulent logins and account takeover not only protects the data you hold, but also your reputation. If customers don't feel their sensitive information is safe, they'll take their business elsewhere.