Business and Enterprise
Protect your company from cybercriminals.Start Free Trial
A credential stuffing attack is when a cybercriminal uses a set of credentials to attempt to gain access to several accounts at once. Credential stuffing is so effective because nearly two-thirds of internet users reuse their passwords. Cybercriminals enter the stolen credentials into thousands of websites over the course of a few minutes or several hours, compromising everything from social media accounts to proprietary company software and beyond.
Password spraying works by taking a verified username and plugging it into several accounts in combination with several different common passwords. If a user doesn’t practice good password habits, most or all of their accounts can be jeopardized by guessing common passwords.
A credential stuffing attack depends on the reuse of passwords. With so many people reusing their passwords for multiple accounts, just one set of credentials is enough to expose most or all of their accounts. Cybercriminals utilize things like BotNets to execute multi-front attacks across multiple devices, expanding their attack capabilities with just one set of credentials.
When an attacker is successful in a credential stuffing attack, they can potentially take control of your bank information, social media accounts and more. This can lead to outright theft of money or other assets, extortion or identity.
Detecting a password spray attack early on can give you ample time to react and protect your accounts. Here’s how:
Detecting a credential stuffing attack can be as simple as requiring 2FA/MFA verification for every account. That will give you a warning if your accounts might be being tampered with, and requires an extra set of credentials to login to the account.
BreachWatch® is also an identity protection tool that monitors the dark web for breached accounts and alerts you instantly if any stolen credentials match yours.
The popular food chain Dunkin Donuts was the victim of a credential stuffing attack twice, which exposed personal information such as phone numbers, email addresses, and account numbers.
In March 2020, thousands of users reported unauthorized logins to their Nintendo accounts, which resulted in compromised accounts, including personal information such as email addresses, names and more. Nintendo reports that those credentials were stolen either via credential stuffing, phishing, or a combination of both.
The rise of Zoom during the pandemic created a huge demand for video conferencing services, but it also exposed those services’ users to potential cyberattacks. Zoom, one of the largest services on the market, experienced several cybersecurity problems, including "Zoom Bombing", where uninvited users enter and "crash" Zoom meetings.
More than 500,000 usernames and passwords for Zoom were bought and sold on the dark web. The credentials were confirmed accounts from credential stuffing attacks, not a data breach on Zooms end.
The company reported that thousands of credentials were exposed, and it’s believed that these credentials were exposed from hacking other companies, making this attack a prime example of credential stuffing.
Credential stuffing attacks can put personal and business data at serious risk. After learning how to detect them, you can take the necessary steps to protect yourself.