Credential stuffing is a popular type of cyberattack. It is the automated injection of breached username and password combinations in order to fraudulently gain access to user accounts.
Hackers want into your servers. You want to keep them out. You use a sophisticated password process, including a requirement for frequent credential changes. It seems like a foolproof system, but it comes with one major flaw.
If people reuse passwords (and many of us do), you could be open to a devastating attack.
More than 15 billion stolen credentials are available on black markets today. Often, hackers don't even need to pay for the weapons they can use against you. With this database, they could have the names/passwords of one of your employees. With a bit of hacking, they could spot your vulnerability and take over.
Credential stuffing attacks are devastating. But they can be prevented.
How a Credential Stuffing Attack Works
Credential stuffing involves stolen usernames or passwords. A hacker plugs the data into a bot and launches an attack to determine if the same combination opens up any other servers.
Every attack is different, but most follow this step-by-step plan:
- Discovery: A hacker finds a cache of username/password combinations exposed via some other attack.
- Modelling: The hacker runs a few tests to see if these combinations work on other websites.
- Large-scale work: The hacker uses tools to launch an attack against a server. All the stolen pieces come in as a flood of login attempts. If even one works, the hacker has access.
- Theft: The hacker looks for anything of value within the account, such as credit card numbers, Social Security numbers, and other login data.
- Ransom: The hacker points out the theft to the company and asks for a financial reason to give access back.
Credential stuffing is a form of brute-force attack. Hackers may only have one or two name/password combinations that work. But all of them are pointed at the server.
Can You Prevent Credential Stuffing?
No company wants data exposed. But preventing credential stuffing attacks means asking for help both from programmers and members. You must work in partnership to ensure that hackers don’t get a toehold into the company’s server.
Employees, users, and others with server passwords must:
- Craft unique passwords. Reusing information, even once, means exposing your servers to risk. It’s difficult to remember dozens of unique credentials, but a password manager can help you both create and store the data to make use easier.
- Change passwords often. Cycle through passwords frequently, and change them in meaningful ways. Don’t shift one letter or number, for example. Amend the entirety of the login.
- Turn on two-factor authentication. Get a notification on your phone or another connected device when you attempt to log in. This one small step can keep hackers away, and you might discover that plenty of people are trying to use your details.
At the enterprise level, companies can: