Business Use
For companies of any size and public sector
Learn to Understand, Detect, and Protect against Credential Stuffing Attacks
Get Protected Now
Credential stuffing attacks can put personal and business data at a serious risk. Here, we’ll take a closer look at credential stuffing attacks, how to detect them, how to protect against them and why they’re such a threat to both businesses and individuals.
A credential stuffing attack is when a cybercriminal uses a set of credentials to attempt to gain access to several accounts at once. Credential stuffing is so effective because nearly two-thirds of internet users reuse their passwords. Cybercriminals enter the stolen credentials into thousands of websites over the course of a few minutes or several hours, compromising everything from social media accounts to proprietary company software and beyond.
Get Protected Now
A credential stuffing attack depends on the reuse of passwords. With so many people reusing their passwords for multiple accounts, just one set of credentials is enough to expose most or all of their accounts. Cybercriminals utilize things like BotNets to execute multi-front attacks across multiple devices, expanding their attack capabilities with just one set of credentials.
It’s estimated that about 80% of all data breaches are linked to compromised passwords, which begs the question: why are so many people still using one password for their accounts?
When an attacker is successful in a credential stuffing attack, they can potentially take control of a user’s bank information, social media accounts and more. This can lead to outright theft of money or other assets, extortion or identity theft.
Credential stuffing and password spraying are similar, but password spraying depends on a username rather than a full set of credentials. Password spraying involves taking a verified username and plugging it into several accounts in combination with several different common passwords. If a user doesn’t practice good password habits, most or all of their accounts can be jeopardized by guessing common passwords.
Detecting a password spray attack early on can give you ample time to react and protect your accounts. Here’s how:
The popular food chain Dunkin Donuts was the victim of a credential stuffing attack in its rewards program, which exposed personal information such as phone numbers, email addresses, and account numbers.
The company reported that thousands of credentials were exposed, and it’s believed that these credentials were exposed from hacking other companies, making this attack a prime example of credential stuffing.
In March 2020, thousands of users reported unauthorized logins to their Nintendo accounts, which resulted in compromised accounts, including personal information such as email addresses, names and more. Nintendo reports that those credentials were stolen either via credential stuffing, phishing, or a combination of both.
The rise of Zoom during the pandemic has created a huge demand for video conferencing services, but it’s also exposed those services’ users to potential cyber attacks. Zoom, one of the largest services on the market, has experienced several cybersecurity problems, including “Zoom Bombing”, where uninvited users enter and “crash” Zoom meetings.
More than 500,000 usernames and passwords for Zoom are confirmed being bought and sold on the DarkWeb. However, these are confirmed accounts from credential stuffing attacks, not a data breach on Zooms end. While Zoom is working hard to address security issues, it’s still important to change up your passwords and use 2FA for any video conferencing software.
Get Protected Now