Credential stuffing is a type of brute force cyberattack which uses automation in an effort to gain unauthorized access to systems around the world…and it all starts with a simple data breach.
Data from One Breach Poses Risks to Additional Systems
An alarming number (almost half) of people use the same or similar password across multiple sites and services. Because of this, cybercriminals will go to great lengths to obtain user’s data such as logins and passwords. Hackers might steal the information themselves or buy it through any one of many online black markets. Purchasing a list of credentials is actually relatively easy and inexpensive, if you know where to look, and those lists can include hundreds of millions or even billions of credentials.
It is undeniable that human error, ignorance, arrogance, and / or apathy is a key contributor to cyber heists. The reality is most people are unfamiliar with the capabilities that criminals gain once they have access the target’s login credentials. A majority of the users involved in data breaches are unaware that the breach has even occurred. Even with everything in the news about major breaches, many simply do not care enough to do something as simple as change their passwords once they are aware of a breach.
How Hackers Leverage Technology for Credential Stuffing
Once login information is obtained, a tactic called credential stuffing can be carried out. Botnets are used to carry out automatic logins through a single or many networks. Newly acquired access credentials are continuously added into the automated system in order to gain success at logging into a restricted platform.
The automation part of this type of cyberattack is necessary for a number of reasons. Hackers are not going to repeatedly type in millions of usernames and passwords. Also, even relatively immature cybersecurity programs are going to alert on a large number of failed login attempts coming from a single IP address.
So, credential stuffing requires an advanced system to set up proxy servers, randomize login attempts, and do its best to imitate normal human behavior in an attempt to blend in with normal login attempts and failures coming in from real human beings. Skilled hackers will build their own systems either from scratch or from bridging together and modifying other existing systems out there. Successful credential stuffing attacks do not require a skilled hacker, though, as those relatively inept cybercriminals known as script kiddies can buy and make use of systems from the dark web.
If the login is successful, attackers will then have access to any of the information that is contained in the account. Organizations are at risk of having sensitive employee and client information accessed as well as intellectual property and financial data. Individuals can be affected as their personal information including Social Security numbers, addresses, health records, banking information and more accessed whether through a breach to an organization or their personal accounts.
Preventing the Threat of Credential Stuffing
Researchers estimate that credential stuffing attacks are successful less than 2% of the time. Don’t be fooled by the seemingly low success rate, though. Since databases can contain login information of millions of users, even 1% is viewed as a solid success rate.
At the end of the day, it is up to the company and their employees’ willingness, attentiveness, and dedication to keep their data safe. There are platforms that can help organizations lower the chances of breach due to such a cyberattack. One solution would be This method of proactive detection and protection inserts a company’s domain into in our proprietary system. That system scours the clear and dark net for the domain and will alert us when it is contained in a list related to a data breach amongst other indicators.