What Is Credential Stuffing?
Credential stuffing is a type of cyberattack where attackers use stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then use these credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application.
Here's how it works:
- A user's login name and password are stolen in a data breach or bought from the dark web.
- An automated bot software program uses this data to rapidly "stuff" the credentials as login attempts.
- The goal is to find as many other systems as possible where they work.
Just to give an idea of how serious and effective these kind of attacks could be, here are some real-world examples of credential stuffing attacks:
- Ticketfly (2018): The Ticketfly platform fell victim to a credential stuffing attack, leading to the exposure of the data of 27 million accounts.
- Starling Bank (2019): Criminals tried to access accounts using leaked username/password data, with a success rate of 0.23%. This small percentage translates to significant financial loss and reputation damage.
- State Farm (2019): An attacker used login credentials from the dark web to break into millions of State Farm customer accounts.
- Zoom (2020): Hackers accessed thousands of old Zoom accounts and used them in a massive credential stuffing attack.
- Spotify (2021): One hundred thousand Spotify users were affected in a credential stuffing attack.
- Jason's Deli (2023): The US restaurant chain warned its online customers that their personal data had been exposed in a credential stuffing attack. More than 340,000 customers were affected.
- 23andMe (2023): A popular genetic testing and genealogy service, confirmed that a credential stuffing attack had compromised the data of 6.9 million users.
These examples highlight the importance of maintaining strong, unique passwords and using two-factor authentication whenever possible. In fact, there are some general steps that could be followed to avoid falling victim of credential stuffing:
- Use two-factor authentication (2FA): This adds an extra layer of security by requiring not only a password and username but also something that only the user has on them.
- Set strong and unique passwords: Each of your accounts should have a different password, with a mix of letters, numbers, and symbols.
- Use a password manager: It can generate and store complex passwords for you, reducing the temptation to reuse passwords.
- Install software updates: Regularly updating your software can protect you from known vulnerabilities that attackers could exploit.
- Install antivirus software: It can protect your device from malware that could steal your credentials.
- Stay educated on emerging cyber threats: Being aware of new types of attacks and how to prevent them can help you stay one step ahead of cybercriminals.
Although no defense is perfect, these steps can significantly reduce your risk of falling victim to a credential stuffing attack.