What is Credential Stuffing?

What is Credential Stuffing?

A credential stuffing attack is when a cybercriminal uses a set of credentials to attempt to gain access to several accounts at once. Credential stuffing is so effective because nearly two-thirds of internet users reuse their passwords. Cybercriminals enter the stolen credentials into thousands of websites over the course of a few minutes or several hours, compromising everything from social media accounts to proprietary company software and beyond.

Credential Stuffing vs. Password Spraying

Password spraying works by taking a verified username and plugging it into several accounts in combination with several different common passwords. If a user doesn’t practice good password habits, most or all of their accounts can be jeopardised by guessing common passwords.

A credential stuffing attack depends on the reuse of passwords. With so many people reusing their passwords for multiple accounts, just one set of credentials is enough to expose most or all of their accounts. Cybercriminals utilise things like BotNets to execute multi-front attacks across multiple devices, expanding their attack capabilities with just one set of credentials.

When an attacker is successful in a credential stuffing attack, they can potentially take control of your bank information, social media accounts and more. This can lead to outright theft of money or other assets, extortion or identity.

How to Detect Credential Stuffing Attacks

Detecting a password spray attack early on can give you ample time to react and protect your accounts. Here’s how:

For Personal Users:

Detecting a credential stuffing attack can be as simple as requiring 2FA/MFA verification for every account. That will give you a warning if your accounts might be being tampered with, and requires an extra set of credentials to login to the account.

BreachWatch® is also an identity protection tool that monitors the dark web for breached accounts and alerts you instantly if any stolen credentials match yours.

For Business Users:

  • Anomaly detectors for traffic with bots. These tools help detect anomalies from incoming web traffic and notify you of incoming bots. Credential stuffing depends on autonomous bots that can quickly plug in credentials, so detecting them can lead to early action.
  • Regularly scanning breach databases for shared logins. Performing regular system maintenance that includes scanning databases can provide early warning and perhaps mitigate the damages caused by a data breach.
  • Use device and browser fingerprinting. Biometric credentials make for strong, unique logins. Combining a password with a biometric credential can make an account 10x stronger.
  • Monitoring VPNs.
  • BreachWatch for Business. BreachWatch is also a powerful business dark web monitoring tool that constantly scans employees’ Keeper Vaults for passwords that have been exposed. It immediately alerts you to take action and protect your organisation.

How to Prevent Credential Stuffing Attacks

Preventing Credential Stuffing as a User

  • Use 2FA/MFA whenever possible
  • Educate yourself about password security
  • Use a password manager like Keeper to auto-generate strong, random passwords and secure login credentials
  • Don't reuse passwords
  • Use complex security questions alongside solid login credentials

Preventing Credential Stuffing as a Business

  • Implement 2FA/MFA for all company accounts
  • Use CAPTCHAs for login pages
  • Improve company-wide education about passwords and cybersecurity
  • Enact strict cybersecurity policies
  • Limit traffic from Autonomous System Numbers
  • Use a Web Application Firewall (WAF)
  • Limit authentication requests/login attempts using IP Block-listing
  • Keep a running list/block of known bad IPs from web info/history
  • Use BreachWatch for your business

Examples of Credential Stuffing

Dunkin Donuts Credential Stuffing Attack

The popular food chain Dunkin' Donuts was the victim of a credential stuffing attack twice, which exposed personal information such as phone numbers, email addresses, and account numbers.

Nintendo Credential Stuffing Attack

In March 2020, thousands of users reported unauthorised logins to their Nintendo accounts, which resulted in compromised accounts, including personal information such as email addresses, names and more. Nintendo reports that those credentials were stolen either via credential stuffing, phishing, or a combination of both.

Zoom Credential Stuffing Attack

The rise of Zoom during the pandemic created a huge demand for video conferencing services, but it also exposed those services’ users to potential cyberattacks. Zoom, one of the largest services on the market, experienced several cybersecurity problems, including "Zoom Bombing", where uninvited users enter and "crash" Zoom meetings.

More than 500,000 usernames and passwords for Zoom were bought and sold on the dark web. The credentials were confirmed accounts from credential stuffing attacks, not a data breach on Zooms end.

The company reported that thousands of credentials were exposed, and it’s believed that these credentials were exposed from hacking other companies, making this attack a prime example of credential stuffing.

Beware of Credential Stuffing

Credential stuffing attacks can put personal and business data at serious risk. After learning how to detect them, you can take the necessary steps to protect yourself.

close
close
English (UK) Call Us