You probably know about phishing, now learn more about the newest potential online threat — credential stuffing.
With people and businesses spending even more time online, the potential for one weak link to cause a cyber headache has increased even further.
Many attacks come from the keyboards of lazy hackers, who just try and exploit holes that can be easily filled through better education and basic security practices.
Phishing attacks are a great example of one of these lazy techniques, which continue to be prevalent despite greater public awareness.
In addition to phishing, there is another technique that has become one of the biggest abusers of lax security: credential stuffing.
So, what is credential stuffing?
Credential stuffing attacks automate large-scale attempted logins using account information that is sourced from previous breaches. The idea being that most people (probably even yourself) will reuse the same email and password combinations across multiple sites. This is backed up by research which shows 71 percent of accounts use the same passwords for multiple websites.
Some people will regularly check websites like Have I Been Pwned to see if their credentials have been breached. Many people won’t, and so will be unaware that their details are available to anyone interested. And with approximately 360 breaches in the past five years, leading to 3 billion accounts and 550 million unique passwords leaked, there’s a good chance they have been the victim of a breach.
One of the most recent high-profile credential stuffing attacks was seen when Disney+ launched, resulting in thousands of users being locked out of their accounts. Within just days, lists were available online for people to buy and gain access to cheap subscriptions. Which for Disney meant hundreds of negative headlines accompanying the launch of their new streaming service. Luckily, Disney had the worldwide phenomenon of Baby Yoda to win back consumer love, but that’s not a luxury most companies will have in similar attacks.
How to not get stuffed
One of the most important steps when preventing these attacks is education. Sophisticated hackers will often find a way to succeed, but everyone can make it a lot harder to do so.
Encouraging a higher level of digital hygiene amongst users will reduce the threat. Encourage the use of new passwords for every account, as well as the use of password managers which generate unique and complex passwords and store them for ease of the user.
And then there is more that can be done on the technical side from security teams. Ensure detection tools and processes are employed to identify any possible credential stuffing attacks early in the authentication process. Check your login data for anomalies that signal an attack is underway. Further techniques, such as mandatory multi-factor-authentication, will also help encourage smarter security habits from users.
Ultimately, credential stuffing is only as dangerous as you let it be. Take the correct steps and you can tell the hackers to get stuffed.